trajche / samlauth Goto Github PK

Hi,

I unziped the folder in the /plugins directory but when I go to "Settings → Integrations", I don't have any filed

Is the plugin compatible with last vesion of kanboard?

Regards

Dear Trajche Kralev,
as I was both forking your project for some modifications as well as using it as a base for creating an InvoicePlane plugin working mostly the same as your package I wanted to ask if it would be fine when I publish my InvoicePlane project under MIT instead of LGPLv3. Though the most important part of the package is the php-saml integration which is also under MIT, I realized that as I used your package as an example it would not be appropriate to just publishing under another license.

The package I am speaking about can be found here:
https://github.com/kingstarter/invoiceplane-saml

Please let me know if this would be fine. I've just published everything and realized afterward that it should have been published under LGPLv3 as I used minimal parts of your code. In case it would not be fine I would either change the license or remove your code parts.

Greetings,
Steve

Unable to $this->configModel->get() from template...

I would like to share my experiences to get SamlAuth working with ADFS.
We have a Windows based test Kanboard installation where I would like to make access via saml possible.

My environment : Win2022 with IIS and PHP 8.2, Kanboard 1.2.26, sqlite Database LDAP connect to AD and a Win2022 ADFS Server

After downloading the zip file and unpacking it to kanboard\plugins\SamlAuth it missed the Thirdparty Modul php-saml so i downloaded it manual and copy it to kanboard\plugins\SamlAuth\Thirdparty\php-saml.

And here are my Configuration settings:

SP Entity ID:
is a unique string, i use the FQDN from Kanboard Server

Single Signon Service
https://FQDN_Kanboard_Server/kanboard/index.php

Single Logout Service
https://FQDN_Kanboard_Server/kanboard/logout (not sure about that)

SP Certificate
public key from the Kanboard Server cert

SP Certificate Private Key
privat key from the Kanboard Server cert in --> RAW format

For the Identity Provider Configuration i used the informations from the https://FQDN_ADFS_Server/FederationMetadata/2007- 06/FederationMetadata. xml

IDP Entity ID
http://FQDN_ADFS_Server/adfs/services/trust

Single Signon Service
https://FQDN_ADFS_Server/adfs/ls/

Single Logout Service
https://FQDN_ADFS_Server/adfs/ls/

IDP Certificate
public key from the ADFS Server cert

Identity Provider Attribute Mapping
Full name Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Username Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Remove text in username attribute
empty

Email Attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Generate the Metadata XML and import it in ADFS.
I configure the Claims as follow:

Rule 1:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = ";sAMAccountName,mail,displayName;{0}", param = c.Value);

Rule 2:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("temp_name"), query = ";sAMAccountName;{0}", param = c.Value);

Rule 3:
c:[Type == "temp_name"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Value = RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(c.Value, "A", "a"), "B", "b"), "C", "c"), "D", "d"), "E", "e"), "F", "f"), "G", "g"), "H", "h"), "I", "i"), "J", "j"), "K", "k"), "L", "l"), "M", "m"), "N", "n"), "O", "o"), "P", "p"), "Q", "q"), "R", "r"), "S", "s"), "T", "t"), "U", "u"), "V", "v"), "W", "w"), "X", "x"), "Y", "y"), "Z", "z"));

Because Kanboard usernames are case sensitive i have to convert the username, send by ADFS, to lowercases to prevent double
users. (Rule 2 and3)

Maybe this will help someone to get this Plugin to work ....

Hi,

As of PHP 7, empty arguments are not supported anymore. To still make this great plugin work in PHP 7, could you make the following changes in /User/SamlUserProvider.php on line 39
public function __construct($username = null, $email = null, $name = null, $role = null)
?

That would be great!

Cheers.

Hi.

I found an error in SamlAuth.php on line 77. https://github.com/trajche/SamlAuth/blob/master/Auth/SamlAuth.php#L77

samlauth_name_attribute should be samlauth_email_attribute

Thanks.

Per

Is the plugin ready to be listed on the official plugin page? Found it by accident when looking for SAML support and I guess it would be easier if it was listed there.

Hi guys, the SAML plugins not work in kanboard 1.0.38.

After send the data with the "Generate Metadata" button, shows the next message:

Internal Error: Invalid array settings: sp_entityId_not_found, sp_acs_not_found, sp_sls_url_invalid, sp_certs_not_found_and_required, contact_not_enought_data

I tested this against SSOCircle's Public IDP and I received the error SAML must contain one assertion.

I captured the POST and am attaching it here, both in XML and base64. I'm posting it in base64 also because I got a weird error from Apache when I tried to get it to work, so it's probably an Apache error. The Apache error was:

[Mon Mar 27 15:49:27.262792 2017] [php7:warn] [pid 25326] [client 75.118.161.192:53168] PHP Warning:  DOMDocument::loadXML(): Start tag expected, '<' not found in Entity, line: 1 in /srv/kanboard/plugins/SamlAuth/Thirdparty/php-saml/lib/Saml2/Utils.php on line 58

So it's interpreting a < as <, which is not how I want it to load that base64-encoded payload. Any thoughts?

saml-response.zip