Authenticate with SAML gives hashed username and e-mail

Hello,

I would like to authenticate the users of my installation of Discourse with our University SAML.

I’m using the docker version of Discourse with the SAML plugin. I’ve tried to follow the instructions on the GitHub site of this plugin.

Everything works fine until I see the following form:


Where I would have expected to see a regular e-mail address I now see a hex-value what I presume to be the hash form of the e-mail address. I cannot continue the authenticate process with these values.

Any help on this topic would be greatly appreciated!

Kind regards,
Ronald

1 Like

Hello Ronald :slight_smile: :wave: really glad to see more and more Universities joining the Discourse family :smiley:

You have quite an interesting issue! My SAML/SSO fu isn’t strong so I am not sure what is happening here, but can you try enabling the verbose sso logging site setting? It would help show some useful errors on /logs and maybe say why you’re getting this issue or tell you something more specific that you can share here and we can better help.

4 Likes

My guess (and my experience with saml is limited, I think I’ve only once helped someone configure it) is that the issue is on the saml side. It’s either configured to send the hash or you’re somehow using the wrong field.

4 Likes

Thank you very much for your speedy reply!

After setting the sso logging to verbose, his is what I found in the production.log:

Started GET "/session/csrf" for <IP> at 2020-07-24 14:32:51 +0000
Processing by SessionController#csrf as JSON
Completed 200 OK in 1ms (Views: 0.1ms | ActiveRecord: 0.0ms | Allocations: 321)
Started POST "/auth/saml" for <IP> at 2020-07-24 14:32:51 +0000
(saml) Request phase initiated.
Started POST "/auth/saml/callback" for <IP> at 2020-07-24 14:33:23 +0000
(saml) Callback phase initiated.
Processing by Users::OmniauthCallbacksController#complete as HTML
  Parameters: {"SAMLResponse"=>"<SNIP>", "provider"=>"saml"}
Redirected to https://discourse-imphys.tudelft.nl/
Completed 302 Found in 24ms (ActiveRecord: 0.0ms | Allocations: 10562)
Started GET "/" for <IP> at 2020-07-24 14:33:24 +0000
Processing by ListController#latest as HTML
  Rendering list/list.erb within layouts/application
  Rendered list/list.erb within layouts/application (Duration: 3.8ms | Allocations: 1991)
  Rendered layouts/_head.html.erb (Duration: 1.9ms | Allocations: 911)
  Rendered common/_discourse_stylesheet.html.erb (Duration: 0.4ms | Allocations: 267)
  Rendered application/_header.html.erb (Duration: 2.2ms | Allocations: 1022)
Completed 200 OK in 34ms (Views: 13.1ms | ActiveRecord: 0.0ms | Allocations: 15963)
Started GET "/u/hp.json" for <IP> at 2020-07-24 14:33:24 +0000
Processing by UsersController#get_honeypot_value as JSON
Completed 200 OK in 2ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 812)
Started GET "/u/check_username?username=&email=94422472fbfb32fdd22eaa2f88c723fb44be9958" for <IP> at 2020-07-24 14:33:25 +0000
Processing by UsersController#check_username as JSON
  Parameters: {"username"=>"", "email"=>"94422472fbfb32fdd22eaa2f88c723fb44be9958"}
Completed 200 OK in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 316)
Started GET "/u/check_username?username=94422472fbfb32fdd22e&email=94422472fbfb32fdd22eaa2f88c723fb44be9958" for <IP> at 2020-07-24 14:33:25 +0000
Processing by UsersController#check_username as JSON
  Parameters: {"username"=>"94422472fbfb32fdd22e", "email"=>"94422472fbfb32fdd22eaa2f88c723fb44be9958"}
Completed 200 OK in 3ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 1421)

I’ve replace the cert with <SNIP> and my IP address with <IP>.

1 Like

Thanks for the quick reply!

That might also be the case! I will contact the SAML issuer and inform about the hashing…

3 Likes

Yup! You can clearly see that SAML is sending a hash of the email and the username.

I think that there is some configuration where you map the SAML fields to the Discourse ones, so it’s conceivable that there is something you can change on the Discourse side to fix it.

4 Likes

After more research I found that the ‘hashed’ code in the registration form is actually the NameID send by the IdP. In the configuration of SAML on the IdP I’ve also enabled the following attributes:

  • Display Name: urn:mace:dir:attribute-def:displayName
  • Full Name: urn:mace:dir:attribute-def:cn
  • Email address: urn:mace:dir:attribute-def:mail
  • User ID: urn:mace:dir:attribute-def:uid

It is confirmed by a third party that these attributes are actually send from the IdP. But for some reason the values of these attributes are not used in the registration form of Discourse (as shown earlier). I assumed that in the form:

  • Email would have the value of urn:mace:dir:attribute-def:mail;
  • Username the value of urn:mace:dir:attribute-def:mail and
  • Name either the value of urn:mace:dir:attribute-def:displayName (preferably) or urn:mace:dir:attribute-def:cn

Is there some way I can configure Discourse-SAML to map these attributes right?

1 Like