Unable to add NameID: Missing 'uid' in the attributes of the user
841 views
Skip to first unread message
fiambre wwiiol
Jan 5, 2018, 6:27:39 AM1/5/18
to SimpleSAMLphp
Hi all.
Not sure if Im not doing something correctly. I succesfully configured an OpenLDAP authsource and tested it correctly in the simplesaml php page (I authenticate and get the several attributes, including the uid)
But when trying to make it work with alfresco (which recently is supporting saml) i am finding these messages in the var/log/messages
Jan 5 09:45:37 ssaml simplesamlphp[33554]: 6 [195e7fe15a] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Jan 5 09:45:37 ssaml simplesamlphp[33554]: 6 [195e7fe15a] SAML2.0 - IdP.SSOService: incoming authentication request: 'DEFAULT'
Jan 5 09:45:45 ssaml simplesamlphp[33555]: 5 STAT [195e7fe15a] User 'xxxxxxxxx' successfully authenticated from -IP-here
Jan 5 09:45:45 ssaml simplesamlphp[33555]: 5 STAT [195e7fe15a] saml20-idp-SSO-first DEFAULT http://server/s/saml2/idp/metadata.php NA
Jan 5 09:45:45 ssaml simplesamlphp[33555]: 5 STAT [195e7fe15a] saml20-idp-SSO DEFAULT http://server/s/saml2/idp/metadata.php NA
Jan 5 09:45:45 ssaml simplesamlphp[33555]: 6 [195e7fe15a] Sending SAML 2.0 Response to 'DEFAULT'
Jan 5 09:45:45 ssaml simplesamlphp[33555]: 3 [195e7fe15a] Unable to add NameID: Missing 'uid' in the attributes of the user.
Jan 5 09:45:45 ssaml simplesamlphp[33555]: 4 [195e7fe15a] Falling back to transient NameID.
And the authentication in Alfresco fails
Not sure if i have to define in the saml20-sp-remote.php the atrributes in any other way
[...]
$metadata['DEFAULT'] = array (
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'uid',
'entityid' => 'DEFAULT',
'contacts' => [...]
or if I am missing something.
How can the test page (looks like) work but it not being able to send the uid correctly?
PD: very greeny user here, btw.
Peter Schober
Jan 9, 2018, 6:53:51 AM1/9/18
to SimpleSAMLphp
* 'fiambre wwiiol' via SimpleSAMLphp <simple...@googlegroups.com> [2018-01-05 12:27]:
persistent NameID to identify the subject? Using attributes is much
easier.
What documentation did you follow for the above?
Look at https://simplesamlphp.org/docs/stable/saml:nameid --
especially at the examples at the bottom.
So AFAIU you'd need to add an authproc filter to your IDP, for
example to your config/config.php in the 'authproc.idp' section:
49 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'uid',
),
HTH,
-peter
> $metadata['DEFAULT'] = array (
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
> 'simplesaml.nameidattribute' => 'uid',
> 'entityid' => 'DEFAULT',
> 'contacts' => [...]
>
> or if I am missing something.
First of all are you sure that the service definitively needs a
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
> 'simplesaml.nameidattribute' => 'uid',
> 'entityid' => 'DEFAULT',
> 'contacts' => [...]
>
> or if I am missing something.
persistent NameID to identify the subject? Using attributes is much
easier.
What documentation did you follow for the above?
Look at https://simplesamlphp.org/docs/stable/saml:nameid --
especially at the examples at the bottom.
So AFAIU you'd need to add an authproc filter to your IDP, for
example to your config/config.php in the 'authproc.idp' section:
49 => array(
'class' => 'saml:PersistentNameID',
'attribute' => 'uid',
),
HTH,
-peter
fiambre wwiiol
Jan 9, 2018, 8:39:15 AM1/9/18
to SimpleSAMLphp
Hi Peter.
We started following several documentation, one from an example done for RedIris and the docs available at the installation itself
I added the attributte array in the authproc.idp filter and the uid missing lines are gone but Alfresco keeps saying there is no uid in the answer.
" 2018-01-09 14:26:05,780 ERROR [scripts.saml.SSOResponseACSPost] [http-apr-8080-exec-7] [share] [SAML:-default-] [spSsoURL=http://my-server/share/page/saml-authnresponse] SSO AuthnResponse - login validation encountered a problem: 00093145 Couldn't get user from auth response [-default-] - check that the appropriate IdP attribute is mapped and that the IdP user has a valid value
org.alfresco.error.AlfrescoRuntimeException: 00093145 Couldn't get user from auth response [-default-] - check that the appropriate IdP attribute is mapped and that the IdP user has a valid value [...]"
Our problem might be related to another problem I posted today, of which we were not aware till I started yesterday redoing all the steps again... Alfresco gives us a XML for the saml, we put that in the ssaml parser , the parser gives us a php body to add in the saml20-idp-remote.php that looks correct, but the logs are showing some errors, so that body might be uncomplete or wrong... and so we dont get the uid correctly (?)
Is there a way to see what is saml sending to alfresco (not encrypted)?
Peter Schober
Jan 9, 2018, 10:01:54 AM1/9/18
to SimpleSAMLphp
* 'fiambre wwiiol' via SimpleSAMLphp <simple...@googlegroups.com> [2018-01-09 14:39]:
you can always ask RedIRIS. Noone else will support you following
their documentation.
This project and community can only support people following its own
documentation. There's just too much nonsense on the net.
> I added the attributte array in the authproc.idp filter and the uid
> missing lines are gone but Alfresco keeps saying there is no uid in
> the answer.
>
> " 2018-01-09 14:26:05,780 ERROR [scripts.saml.SSOResponseACSPost]
> [http-apr-8080-exec-7] [share] [SAML:-default-]
> [spSsoURL=http://my-server/share/page/saml-authnresponse] SSO AuthnResponse
> - login validation encountered a problem: 00093145 Couldn't get user from
> auth response [-default-] - check that the appropriate IdP attribute is
> mapped and that the IdP user has a valid value
> org.alfresco.error.AlfrescoRuntimeException: 00093145 Couldn't get user
> from auth response [-default-] - check that the appropriate IdP attribute
> is mapped and that the IdP user has a valid value [...]"
I don't know any technical detail what specifically you need to send
(you started with questions about SAML 2.0 persistent NameIDs, but the
error message above is about SAML Attributes). And the error message
above has no technical details about what it expected and what it got.
So nothing you wrote so far will allow anyone else to debug your problem.
From the wording of the error message above I'd say that you should
forget about NameIDs (unless their documentation says they are
required) and use attributes instead. The error message suggests that
you can chose to map any attribute of your chosing in their software.
> Our problem might be related to another problem I posted today, of
> which we were not aware till I started yesterday redoing all the
> steps again... Alfresco gives us a XML for the saml, we put that in
> the ssaml parser , the parser gives us a php body to add in the
> saml20-idp-remote.php that looks correct, but the logs are showing
> some errors, so that body might be uncomplete or wrong... and so we
> dont get the uid correctly (?)
So you're having yet another problem again unrelated to NameIDs?
What do you mean with "XML for the saml" specifically? An example of
SAML protocol messages? Of SAML Metadata? These are all "XML" and all
are art of "SAML".
And unless Alfresco uses SimpleSAMLphp (which I doubt but don't know)
you don't put anything into saml20-idp-remote.php on your
SimpelSAMLphp, as that is your local/"hosted" IDP. So your IDP only
cares about saml20-idp-hosted.php (itself) or saml20-sp-remote.php
(SPs your IDP should federate with).
And obviously (?) "the logs are showing some errors" is not a
technical error report and sending unusable reports like this will not
allow anyone to help you.
> Is there a way to see what is saml sending to alfresco (not encrypted)?
Turning up logging should do this. Or removing the encryption key from
the SP's metadata (more drastic measure), I guess.
-peter
> We started following several documentation, one from an example done
> for RedIris and the docs available at the installation itself
If you're part of the Spanish Research and Education community then
> for RedIris and the docs available at the installation itself
you can always ask RedIRIS. Noone else will support you following
their documentation.
This project and community can only support people following its own
documentation. There's just too much nonsense on the net.
> I added the attributte array in the authproc.idp filter and the uid
> missing lines are gone but Alfresco keeps saying there is no uid in
> the answer.
>
> " 2018-01-09 14:26:05,780 ERROR [scripts.saml.SSOResponseACSPost]
> [http-apr-8080-exec-7] [share] [SAML:-default-]
> [spSsoURL=http://my-server/share/page/saml-authnresponse] SSO AuthnResponse
> - login validation encountered a problem: 00093145 Couldn't get user from
> auth response [-default-] - check that the appropriate IdP attribute is
> mapped and that the IdP user has a valid value
> org.alfresco.error.AlfrescoRuntimeException: 00093145 Couldn't get user
> from auth response [-default-] - check that the appropriate IdP attribute
> is mapped and that the IdP user has a valid value [...]"
(you started with questions about SAML 2.0 persistent NameIDs, but the
error message above is about SAML Attributes). And the error message
above has no technical details about what it expected and what it got.
So nothing you wrote so far will allow anyone else to debug your problem.
From the wording of the error message above I'd say that you should
forget about NameIDs (unless their documentation says they are
required) and use attributes instead. The error message suggests that
you can chose to map any attribute of your chosing in their software.
> Our problem might be related to another problem I posted today, of
> which we were not aware till I started yesterday redoing all the
> steps again... Alfresco gives us a XML for the saml, we put that in
> the ssaml parser , the parser gives us a php body to add in the
> saml20-idp-remote.php that looks correct, but the logs are showing
> some errors, so that body might be uncomplete or wrong... and so we
> dont get the uid correctly (?)
What do you mean with "XML for the saml" specifically? An example of
SAML protocol messages? Of SAML Metadata? These are all "XML" and all
are art of "SAML".
And unless Alfresco uses SimpleSAMLphp (which I doubt but don't know)
you don't put anything into saml20-idp-remote.php on your
SimpelSAMLphp, as that is your local/"hosted" IDP. So your IDP only
cares about saml20-idp-hosted.php (itself) or saml20-sp-remote.php
(SPs your IDP should federate with).
And obviously (?) "the logs are showing some errors" is not a
technical error report and sending unusable reports like this will not
allow anyone to help you.
> Is there a way to see what is saml sending to alfresco (not encrypted)?
the SP's metadata (more drastic measure), I guess.
-peter
Reply all
Reply to author
Forward
0 new messages