ADFS integration issues

To be completed by the original poster:

CMS Version

Version 3.0.7

Installation Method

Docker

Operating System

The operating system the CMS is installed on RedHAT 7.9

Issue

We followed the procedure for SAML SSO with Active Directory ADFS but we have errors during the connection.
the ADFS authentication page is displayed, we put the Login and the Password but when redirecting to mycmsname/saml/acs we get an error.
The status code of the Response was not Success, was Requester → urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy

We had the same problem with 2.3.14 v
We have the same problem with 2.3.14 v
the configuration file is exactly as in the procedure by modifying the names of the servers and the certificate has been copied by following the directives.
Has anyone had any integration issues?

thank you

Provide screenshots where possible!

Hello, a step taken, the error came from a configuration at ADFS level in the ‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress’, which was to an earlier version.
Now what is blocking me is the Just-In-Time provisioning if a user exists in Xibo, he is able to log in but if the user has to be created, the creation operation is not done and the user receives message


When i delete the settings file et i log like admin in to the CMS. i don’t find the new users.

this is parts of the config
‘workflow’ => array(
// Enable/Disable Just-In-Time provisioning
‘jit’ => true,
// Attribute to identify the user
‘field_to_identify’ => ‘UserName’, // Alternatives: UserID, UserName or email
// Default libraryQuota assigned to the created user by JIT
‘libraryQuota’ => 1000,
// Initial User Group
‘group’ => ‘Users’,
// Home Page
‘homePage’ => ‘icondashboard’,
// Enable/Disable Single Logout
‘slo’ => true,
// Attribute mapping between XIBO-CMS and the IdP
‘mapping’ => array (
‘UserID’ => ‘’,
‘usertypeid’ => ‘’,
‘UserName’ => ‘uid’,
‘email’ => ‘mail’,
)
),
thanks

icondashboard isn’t valid anymore. You would need to change that in the settings file to icondashboard.view which is correct for a v3 CMS.

Thanks @alex for your follow up.
actually I changed it to test because I can’t map a new user. In fact, for authentication via ADFS to work, an adjustment had to be made to the setting file because currently the new version of ADFS requires a certX509 and the key for the CMS. here is a configuration that works.

<?php

# If you need to add custom configuration settings to the CMS settings.php file,
# this is the place to do it.

# For example, if you want to configure SAML authentication, you can add the
# required configuration here

$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = array (
   'workflow' => array(
        // Enable/Disable Just-In-Time provisioning
        'jit' => true,
        // Attribute to identify the user
        'field_to_identify' => 'UserName',   // Alternatives: UserID, UserName or email
        // Default libraryQuota assigned to the created user by JIT
        'libraryQuota' => 1000,
        // Initial User Group
        'group' => 'Users',
        // Home Page
        'homePage' => 'icondashboard.view',
        // Enable/Disable Single Logout
        'slo' => 'true',
        // Attribute mapping between XIBO-CMS and the IdP
        'mapping' => array (
            'UserID' => '',
            'usertypeid' => '',
            'UserName' => 'uid',
            'email' => 'mail',
       //     'firstName' => 'surname',
       //     'lastName' => 'givenname',
        )
    ),
   // Settings for the PHP-SAML toolkit.
   // See documentation: https://github.com/onelogin/php-saml#settings
   'strict' => false,
   'debug' => true,
   'idp' => array (
 // Identifier of the IdP entity  (must be a URI)
        'entityId' => 'https://mycms.com/saml/acs',
          'singleSignOnService' => array (
// URL Target of the IdP where the Authentication Request Message will be sent
            'url' => 'https://myadfs.com/adfs/ls',
            ),
            'singleLogoutService' => array (
 // SLO endpoint info of the IdP.
        'url' => 'https://myadfs.com/adfs/ls/',
            ),

 'x509certMulti' => array(
             'signing' => array(
                 0 => 'adfscert',
             ),
             'encryption' => array(
			   0 => 'adfscert',
             )
        ),
        ),

   'sp' => array (
 // Identifier of the SP entity  (must be a URI)
       'entityId' => 'https://mycms.com/saml/acs',
  // Specifies info about where and how the <AuthnResponse> message MUST be returned to the requester, in this case our SP.
                       'assertionConsumerService' => array (
  // URL Location where the <Response> from the IdP will be returned
          'url' => 'https://mycms/saml/acs',
        ),
 // Specifies info about where and how the <Logout Response> message MUST be returned to the requester, in this case our SP.
       'singleLogoutService' => array (
 // URL Location where the <Response> from the IdP will be returned
           'url' => 'https://mycms/saml/sls',
       ),
        // Specifies the constraints on the name identifier to be used to represent the requested subject.
        // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported.
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
        'x509cert' => 'mycmscert',
        'privateKey' => 'mycmskey',
    ),
    'security' => array (
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => false,
        'logoutRequestSigned' => true,
        'logoutResponseSigned' => true,
        'signMetadata' => false,
        'wantMessagesSigned' => false,
        'wantAssertionsSigned' => false,
        'wantNameIdEncrypted' => false,
        'lowercaseUrlencoding' => true,


    )
);

?>

however this setting only allows me to authenticate a user who already exists on the CMS. he can connect via ADFs and disconnect via ADFS too.
for a new user that I want to create at the same time as his authentication, I have an error message.
yet the ADFS sends me all the required fields.



I wonder if anyone had the same error at JIT or I have a config error thanks

Hi Alex, I have something new. I commented out the ‘homePage’ line and JIP seems to work well and the user connects with the icondashboar page.


thanks

Thank you. I’ve passed your feedback to the development team to take a look in to it.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.