View ProjeQtOr On SourceForge.net
ProjeQtOr - Project Management Tool
Support us on Capterra
OIN - Open Invention Network
ProjeQtOr free project management software - Problems with setting up SAML2 - ProjeQtOr
 
 

Problems with setting up SAML2

More
31 Jan 2023 09:19 #1 by arope99
Hi,I'm trying to setup Projeqtor to authenticate using SAML2 through our organisation ADFS server.

LDAP is currently setup as follows with the following attributes: 


I can confirm that Projeqtor is talking to the ADFS server as shown below. SAML-Tracer results outlines NameID is being sent post ADFS authentication.


However, Projeqtor application does nor receive the "Name ID" attributes, and only received email and name attributes as shown below: 


Projeqtor SAML2 is currently configured as below: 


Looking at the Projeqtor log, it shows that Name ID is undefined (or not received): 
 

Can anyone let me know what is the problem here?

Below is the xml generated by Projeqtor:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2033-01-30T15:20:48Z" cacheDuration="PT604800S" entityID="http://......../sso/projeqtor/metadata.php">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://........../sso/projeqtor/index.php?sls"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://.........../sso/projeqtor/index.php?acs" index="1"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>ProjeQtOr</md:GivenName>
<md:EmailAddress>Projeqtor@........</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>

The only issues I can see here is that the NameIDFormat is SAML 1.1 (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified). Hence Projeqtor is expecting a different format that what the server is sending which is SAML 2.0 (urn:oasis:names:tc:SAML:2.0) as shown in the 2nd picture above.

Can anyone clarify this?

Thanks in advance.
Attachments:

Please Log in or Create an account to join the conversation.

More
01 Feb 2023 11:28 - 01 Feb 2023 11:30 #2 by arope99
Hi all,

Had played around the Projeqtor SSO authentication today, and found out that Projeqtor did received the "Name ID" but it was not stored in the authentication attributes array. Instead it has it's own variable storage.

In the file projeqtor/sso/projeqtor/index.php, attributes is stored as below:

$_SESSION = $auth->getAttributes();

While Name ID is stored below: 

$_SESSION = $auth->getNameId();

However, when creating new user in tool/projeqtor.php, the code is looking for Name ID in attributes array. Hence the error.     

if (isset($authAttr[SSO::getAttributeName('uid')]) and isset($authAttr[SSO::getAttributeName('uid')][0]))
{       
   $login = $authAttr[SSO::getAttributeName('uid')][0];     
}
else
{       
   traceLog("Cannot retreive field ".SSO::getAttributeName('uid')." in samlUserData");        \
   traceLog($authAttr);       
   $login=null;     
}

And also in the file projeqtor/model/SSO.php, it is also looking for Name ID from the attributes.   
 
$loginAttr=SSO::getAttributeName('uid');     
$mailAttr=SSO::getAttributeName('mail');     
$fullNameAttr=SSO::getAttributeName('commonName');     
$user->name=$authAttr[$loginAttr][0];

Can any of the developer comment about this? I think I need to modify the codes so the it will not get the Name ID from attributes. 

Is there any work around to this other than modifying the codes? Fyi, I'm using V10.1.

Thank you.
Last edit: 01 Feb 2023 11:30 by arope99.

Please Log in or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.089 seconds

Cookies settings

×

Functional Cookies

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Session

Please login to see yours activities!

Other cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.