我当前的 Discourse 安装已禁用新用户注册,登录通过 LDAP 插件(https://github.com/jonmbake/discourse-ldap-auth)完成。因此,许多内部用户已经存在,并创建了不同的内容。
现被要求安装/迁移至 SAML,以集成我们与 Okta 的现有流程。我已安装插件(https://github.com/discourse/discourse-saml),并启用了选项 DISCOURSE_SAML_AUTO_CREATE_ACCOUNT: true。需求是:如果用户不存在则创建;如果用户已存在(例如之前通过 LDAP 创建),则应复用该用户。然而,当前的行为是尝试为已存在的用户名创建新用户,导致冲突并引发错误。如果禁用自动创建选项,则会弹出一个窗口,允许编辑注册信息,其中用户名已正确预填,但会添加一个数字前缀以避免冲突。显然,这在我的情况下不可行。
请问有什么建议吗?
也许这篇旧帖子与此相关,但尚未得到解答:
https://meta.discourse.org/t/verify-if-user-is-already-logged-sso-with-saml2-discourse-saml/73213
(抱歉,我无法在帖子中插入超过两个链接。)
提前感谢。
AB
pfaffman
(Jay Pfaffman)
2
用户通常通过电子邮件地址进行匹配。LDAP 和 SAML 不使用相同的电子邮件地址吗?
电子邮件地址是一样的,我可能需要检查一下 SAML 负载中的内容。
谢谢提示,我会去查看一下。
我遇到了以下错误:
Started POST "/auth/saml" for 188.114.103.216 at 2020-08-04 16:46:20 +0000
(saml) Request phase initiated.
Started POST "/auth/saml/callback" for 188.114.103.216 at 2020-08-04 16:46:21 +0000
(saml) Callback phase initiated.
Processing by Users::OmniauthCallbacksController#complete as HTML
Parameters: {"SAMLResponse"=>"........", "RelayState"=>"", "provider"=>"saml"}
Completed 422 Unprocessable Entity in 16ms (ActiveRecord: 0.0ms | Allocations: 4546)
ActiveRecord::RecordInvalid (Validation failed: Primary email is invalid.)
lib/distributed_mutex.rb:33:in `block in synchronize'
lib/distributed_mutex.rb:29:in `synchronize'
lib/distributed_mutex.rb:29:in `synchronize'
lib/distributed_mutex.rb:14:in `synchronize'
app/controllers/users/omniauth_callbacks_controller.rb:37:in `complete'
app/controllers/application_controller.rb:350:in `block in with_resolved_locale'
app/controllers/application_controller.rb:350:in `with_resolved_locale'
lib/middleware/omniauth_bypass_middleware.rb:47:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:328:in `call'
config/initializers/100-quiet_logger.rb:19:in `call'
config/initializers/100-silence_logger.rb:31:in `call'
lib/middleware/enforce_hostname.rb:22:in `call'
lib/middleware/request_tracker.rb:176:in `call'
Failed to handle exception in exception app middleware : Validation failed: Primary email is invalid.
我检查了 SAML 响应的负载,内容如下(出于明显原因已删除部分数据):
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://example.com/auth/saml/callback" ID="id123" IssueInstant="2020-08-04T16:39:45.888Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/xyz</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id123">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>....</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id123" IssueInstant="2020-08-04T16:39:45.888Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/xyz</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id123">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">my.name</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2020-08-04T16:44:45.888Z" Recipient="https://example.com/auth/saml/callback" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-08-04T16:34:45.888Z" NotOnOrAfter="2020-08-04T16:44:45.888Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://example.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2020-08-04T06:53:32.462Z" SessionIndex="id789">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="screenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">my.name@example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
有什么建议吗?
谢谢,
AB
pfaffman
(Jay Pfaffman)
5
看来您的 SAML 没有包含邮箱地址的结尾部分?或者您查看的是错误的字段?
问题在于我的 Okta/SAML 在此字段中发送的是用户名而不是电子邮件地址
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">my.name</saml2:NameID>
我通过添加一个名为 email 的新属性来解决此问题,然后 fork 该项目,将 result.mail 设置为从该新属性(如果存在)中读取。
我将创建一个拉取请求。
谢谢
AB