I dont get proper mapping of attributes using SAML plugin

SSO
1

Hello,

I am trying to integrate our shibboleth with our discourse instance. For now logging in works but I am getting the wrong data (name, email, etc…)

here is part of the data coming from the SSO

    <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue>Joao Miguel</saml2:AttributeValue>

here is the error log:

SAML Debugging: saml_auth: {:uid=>"AAdzZWNyZXQ0uudwQFYHs1n7nrvB/A4t4l6q+6aAXInZRL4XIO+mnEEEq4t8UwBnzJRh50mnTGDsQAPvWThJNaUNR6smCochT1I2oXwvyoU4lQG+5hbVmCvkkmYDPOujrvgNloXWNg==", :info=>{"name"=>nil, "email"=>nil, "first_name"=>nil, "last_name"=>nil, "nickname"=>nil}.......   @attributes={............."urn:oid:2.5.4.42"=>["Joao Miguel"]

I would say the issue has to do with the FriendlyName, as it doesnt match any of the options in saml_authenticator.rb:

statements = “name:name|email:email,mail|first_name:first_name,firstname,firstName|last_name:last_name,lastname,lastName|nickname:screenName”

Since friendly name repeats itself for every atribute I am not sure how to make the mapping. Has anyone an idea of how to deal with this?

Thank you

2

Did you manage to get this working?

3

Hello @Ivan.bacher and @JoreisPy , any success in mapping the right attributes via discourse-saml configs?

I’ve been trying using this config in the plug-in but no lucky so far:

Screenshot 2023-05-03 at 08.27.45

Have a good one! :slight_smile:

4

I stumbled across the same problem while testing the SAML integration and I finally managed to get it to work. With logs enabled, check the content of @attributes, those are the actual keys you need for the mapping and not the friendly name. They correspond to the Name attribute from the XML data. For my case the mapping inside app.yml became:

DISCOURSE_SAML_REQUEST_ATTRIBUTES: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
DISCOURSE_SAML_ATTRIBUTE_STATEMENTS: "email:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

It is also important to rebuild after changes to the config. After doing so, it properly mapped the email value from my SAML response.

5

Thanks for sharing example, from discourse-saml/config/locales/server.en.yml at main · discourse/discourse-saml · GitHub isn’t clear what the exact format means.
Additionally for future SAML plugin have possibility to map more than one attribute to Discourse variable, so the format basically tells:

‘<Discourse_variable>:<SAML_attribute1>,<SAML_attribute2>’

1 Like
6

Probably isnt good place but just to add, you will need email, name, first_name, last_name and uid like Dicourse attribute to be able to use SAML plugin.

7

Additionally

def attribute_statements
    result = {}
    statements =
      "name:fullName,name|email:email,mail|first_name:first_name,firstname,firstName|last_name:last_name,lastname,lastName|nickname:screenName"
    custom_statements = setting(:attribute_statements)

    statements = "#{statements}|#{custom_statements}" if custom_statements.present?

    statements
      .split("|")
      .map do |statement|
        attrs = statement.split(":", 2)
        next if attrs.count != 2
        (result[attrs[0]] ||= []) << attrs[1].split(",")
        result[attrs[0]].flatten!
      end

    result
  end

this part of the code (have in mind I am not a Ruby programmer) suggest that you need to map all attributes to your attributes that the system may work … I will try to test that information ( I do have issue at a moment with SAML plugin and try to investigate issues).