Add uid from LDAP as attribute in SamlResponse
61 views
Skip to first unread message
Andre Woerle
May 22, 2023, 5:38:21 AM5/22/23
to SimpleSAMLphp
Hello everyone,
I am trying to add the UID of my LDAP to the attributes of the SamlResponse.
I have a Connected ldap to simplesaml and login in is working.
Just want to return the UID as an attribute value.
I hope someone can help me with this.
My saml20-sp-remote looks like this:
'simplesaml.attributes' => true,
'authproc' => [
20 => [
'class' => 'core:AttributeAdd',
],
40 => [
'class' => 'ldap:AttributeAddFromLDAP',
'authsource' => 'docker-ldap',
'attributes' => [ 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname' => 'uid'],
'attribute.policy' => 'merge',
'search.filter' => '(uid=name)',
],
92 => [
'class' => 'saml:AuthnContextClassRef',
'AuthnContextClassRef' => 'urn:federation:authentication:windows',
],
],
Andre Woerle
May 22, 2023, 5:47:26 AM5/22/23
to SimpleSAMLphp
The Simplesamlversion ist
2.0.3.
Tim van Dijen
May 23, 2023, 5:19:46 AM5/23/23
to SimpleSAMLphp
Hello Andre,
'
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
' is not the name of an LDAP-attribute, so the AttributeAddFromLdap will fail.
You probably want to do 'attributes' => ['sAMAccountName' => 'uid']
Or perhaps you mean to do it the other way around and map the LDAP 'uid' to a SAML-attribute called
'
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
' ?
In this case it would be 'attributes' => ['uid' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname']
In this case it would be 'attributes' => ['uid' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname']
- Tim
Op maandag 22 mei 2023 om 11:47:26 UTC+2 schreef Andre Woerle:
Andre Woerle
May 23, 2023, 5:42:16 AM5/23/23
to SimpleSAMLphp
Hi Tim,
i want the response to look like this
<AttributeStatement>
<AttributeValue>
hereShouldBeUIDofUser
</AttributeValue>
</Attribute>
</AttributeStatement>
So i want to send in the response to the sp an attribute with the name of
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" and the value should be the UID of the User that logged into the SimpleSamlphp IDP.
I added
'attributes' => [ 'uid' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname'],
to the
authproc in the AttributeAddFromLdap from above
and the respond looks like this now:
May 23 11:38:30 simplesamlphp DEBUG [1f0ea5ac43] <saml:AttributeStatement>
May 23 11:38:30 simplesamlphp DEBUG [1f0ea5ac43] <saml:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
May 23 11:38:30 simplesamlphp DEBUG [1f0ea5ac43] <saml:AttributeValue xsi:type="xs:string">username</saml:AttributeValue>
May 23 11:38:30 simplesamlphp DEBUG [1f0ea5ac43] </saml:Attribute>
May 23 11:38:30 simplesamlphp DEBUG [1f0ea5ac43] </saml:AttributeStatement>
I need the username value replaced with the UID of the user that logged in.
I hope that clarifies more what i need and thanks for the help!
Tim van Dijen
May 23, 2023, 5:54:37 AM5/23/23
to SimpleSAMLphp
Where is that 'username' value coming from? It's not making any sense.. You just have to map the right LDAP attribute...
- Tim
Op dinsdag 23 mei 2023 om 11:42:16 UTC+2 schreef Andre Woerle:
Andre Woerle
May 23, 2023, 6:09:27 AM5/23/23
to SimpleSAMLphp
If comes with the
20 => [
'class' => 'core:AttributeAdd',
],
i removed it and now there are no attributes anymore:
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] Sending message:
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="*****" Version="2.0" IssueInstant="2023-05-23T10:03:55Z" Destination="https://theSP.com/">
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:Issuer>https://some.url.com/simplesaml</saml:Issuer>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:SignedInfo>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:Reference URI="****">
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:Transforms>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </ds:Transforms>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:DigestValue>******</ds:DigestValue>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </ds:Reference>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </ds:SignedInfo>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:SignatureValue>****</ds:SignatureValue>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:KeyInfo>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:X509Data>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <ds:X509Certificate>*****</ds:X509Certificate>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </ds:X509Data>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </ds:KeyInfo>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </ds:Signature>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <samlp:Status>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </samlp:Status>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="*****" Version="2.0" IssueInstant="2023-05-23T10:03:55Z">
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:Issuer>https://idp.dev.aspiria.com/simplesaml</saml:Issuer>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:Subject>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:NameID SPNameQualifier="https://sso-tim.dev.aspiria.com/saml2/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">*****</saml:NameID>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:SubjectConfirmationData NotOnOrAfter="2023-05-23T10:08:55Z" Recipient="https://sso-tim.dev.aspiria.com/saml2/acs"/>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </saml:SubjectConfirmation>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </saml:Subject>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:Conditions NotBefore="2023-05-23T10:03:25Z" NotOnOrAfter="2023-05-23T10:08:55Z">
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:AudienceRestriction>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:Audience>https://sso-tim.dev.aspiria.com/saml2/metadata</saml:Audience>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </saml:AudienceRestriction>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </saml:Conditions>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:AuthnStatement AuthnInstant="2023-05-23T10:02:59Z" SessionNotOnOrAfter="2023-05-23T18:02:59Z" SessionIndex="******">
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:AuthnContext>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] <saml:AuthnContextClassRef>urn:federation:authentication:windows</saml:AuthnContextClassRef>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </saml:AuthnContext>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </saml:AuthnStatement>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </saml:Assertion>
May 23 12:03:55 simplesamlphp DEBUG [1f0ea5ac43] </samlp:Response>
Thanks for trying to help!
Tim van Dijen
May 23, 2023, 6:31:13 AM5/23/23
to SimpleSAMLphp
Ah, I see..
That authproc-filter with index 20 doesn't make any sense.. You're basically hardcoding a value of 'username' inside a SAML attribute.
The filter with index 40 should be enough to do what you want. You just have to set the search filter straight.
Op dinsdag 23 mei 2023 om 12:09:27 UTC+2 schreef Andre Woerle:
Andre Woerle
May 23, 2023, 7:20:07 AM5/23/23
to SimpleSAMLphp
sorry I am completly new to all of this could you explain a little further what i have to write into the search filter.
I tried
and
(uid=%uid%)
and
(uid=%sAMAccountName%)
but noting seems to work there is always this message
May 23 13:16:16 simplesamlphp INFO [c45e2861cb] ldap:SimpleSAML\Module\ldap\Auth\Process\AttributeAddFromLDAP: There are non-existing attributes in the search filter. ((uid=%sAMAccountName%))
Thank you so much for your help!
Tim van Dijen
May 23, 2023, 8:26:28 AM5/23/23
to SimpleSAMLphp
No problem!
- Tim
What we need to know is what you are using as an authentication source. That authentication source will provide you with some attributes. You have to figure out what they are.
Hopefully one of those attributes is a unique user identifier that you can use to search the LDAP-store. Let's assume the authsource releases the 'identifier' attribute.
Now I assume that your LDAP-store stores the unique user-id in the 'sAMAccountName' attribute.
Your authproc-filter would look like this:
'authproc' => [
40 => [
40 => [
// Find the user's sAMAccountName and map it to the windowsacountname attribute
'attributes' => ['sAMAccountName' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname']
// search for a user who's sAMAccountName matches the 'identifier' we found using our primary authsource
// search for a user who's sAMAccountName matches the 'identifier' we found using our primary authsource
'search.filter' => '(sAMAccountName=%identifier%)',
]
]
]
]
- Tim
Op dinsdag 23 mei 2023 om 13:20:07 UTC+2 schreef Andre Woerle:
Andre Woerle
May 23, 2023, 8:42:51 AM5/23/23
to SimpleSAMLphp
This would be me authentication source then?
'docker-ldap' => [
'ldap:Ldap',
'connection_string' => 'ldap://***.com:389',
'encryption' => 'ssl',
'version' => 3,
'ldap.debug' => true,
'options' => [
'referrals' => 0x00,
'network_timeout' => 3,
],
'connector' => '\SimpleSAML\Module\ldap\Connector\Ldap',
'attributes' => null,
'attributes.binary' => [
'uid', 'cn', 'mail'
],
'dnpattern' => 'uid=%username%,ou=users,dc=com',
'search.enable' => true,
'search.base' => [
'dc=com',
],
'search.scope' => 'sub',
'search.attributes' => ['uid', 'mail'],
'search.filter' => '(objectClass=inetOrgPerson)',
'search.username' => 'cn=user,dc=com',
'search.password' => '***',
],
but would uid then not be the identifier?
Tim van Dijen
May 23, 2023, 10:37:06 AM5/23/23
to SimpleSAMLphp
Ohhh, you are already using LDAP as an authsource?! Then you don't need these filters at all..
The attributes you want to pull from LDAP should go in the 'attributes' array, not in 'attributes.binary'.
Now, authentication will get you the three attributes 'uid', 'cn' and 'mail'.
Next step is to use the authproc-filter to map 'uid' to 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname' and you're done.
You can use the AttributeMap-filter for that. The other two filters you had defined can go away.
- Tim
Op dinsdag 23 mei 2023 om 14:42:51 UTC+2 schreef Andre Woerle:
Andre Woerle
May 23, 2023, 11:01:27 AM5/23/23
to SimpleSAMLphp
Thank you so much everything is now working like intended.
I really appreciated the help!
Have a nice Day.
Reply all
Reply to author
Forward
0 new messages