我无法正确映射使用SAML插件的属性

SSO
1

Hello,

I am trying to integrate our shibboleth with our discourse instance. For now logging in works but I am getting the wrong data (name, email, etc…)

here is part of the data coming from the SSO

    <saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue>Joao Miguel</saml2:AttributeValue>

here is the error log:

SAML Debugging: saml_auth: {:uid=>"AAdzZWNyZXQ0uudwQFYHs1n7nrvB/A4t4l6q+6aAXInZRL4XIO+mnEEEq4t8UwBnzJRh50mnTGDsQAPvWThJNaUNR6smCochT1I2oXwvyoU4lQG+5hbVmCvkkmYDPOujrvgNloXWNg==", :info=>{"name"=>nil, "email"=>nil, "first_name"=>nil, "last_name"=>nil, "nickname"=>nil}.......   @attributes={............."urn:oid:2.5.4.42"=>["Joao Miguel"]

I would say the issue has to do with the FriendlyName, as it doesnt match any of the options in saml_authenticator.rb:

statements = “name:name|email:email,mail|first_name:first_name,firstname,firstName|last_name:last_name,lastname,lastName|nickname:screenName”

Since friendly name repeats itself for every atribute I am not sure how to make the mapping. Has anyone an idea of how to deal with this?

Thank you

2

你设法让它起作用了吗?

3

你好 @Ivan.bacher@JoreisPy ,在通过 discourse-saml 配置映射正确的属性方面有成功吗?

我一直在尝试在插件中使用此配置,但到目前为止运气不佳:

Screenshot 2023-05-03 at 08.27.45
Screenshot 2023-05-03 at 08.27.45679×115 10.4 KB

祝你一切顺利! :slight_smile:

4

我在测试 SAML 集成时遇到了同样的问题,最终设法解决了。启用日志后,请检查 @attributes 的内容,这些才是您需要用于映射的实际键,而不是友好名称。它们对应于 XML 数据中的 Name 属性。在我的情况下,app.yml 中的映射如下所示:

DISCOURSE_SAML_REQUEST_ATTRIBUTES: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
DISCOURSE_SAML_ATTRIBUTE_STATEMENTS: "email:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

在更改配置后重新构建也很重要。完成此操作后,它会正确地将我的 SAML 响应中的电子邮件值映射过来。

5

感谢分享示例,来自 discourse-saml/config/locales/server.en.yml at main · discourse/discourse-saml · GitHub 并不清楚确切的格式含义。
此外,对于未来的 SAML 插件,可以有将多个属性映射到 Discourse 变量的可能性,因此格式基本上表示:

‘<Discourse_variable>:<SAML_attribute1>,<SAML_attribute2>’

1 个赞
6

可能不是个好地方,但需要补充的是,您需要emailnamefirst_namelast_nameuid等Discourse属性才能使用SAML插件。

7

此外

def attribute_statements
    result = {}
    statements =
      "name:fullName,name|email:email,mail|first_name:first_name,firstname,firstName|last_name:last_name,lastname,lastName|nickname:screenName"
    custom_statements = setting(:attribute_statements)

    statements = "#{statements}|#{custom_statements}" if custom_statements.present?

    statements
      .split("|")
      .map do |statement|
        attrs = statement.split(":", 2)
        next if attrs.count != 2
        (result[attrs[0]] ||= []) << attrs[1].split(",")
        result[attrs[0]].flatten!
      end

    result
  end

这段代码(请注意我不是 Ruby 程序员)表明你需要将所有属性映射到系统可能使用的属性……我将尝试测试这些信息(我目前在使用 SAML 插件时遇到问题,并试图调查这些问题)。