Help: Custom claims for ADFS attribute mapping
rjapayne opened this issue · comments
We're trying to set up the SAML2 plugin's idp attribute mapping but it doesn't seem to be accepting inputs like "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn". The form won't submit and it says "This value is not valid".
A bit confused as I've been reading forums and other cases of people using this plugin and this seems to be what other people have entered.
Is this the wrong thing to do?
hi @rjapayne,
Go to this page:
/auth/saml2/test.php
It will do an raw saml auth without moodle in the loop and return a dump of what attributes it gets back from the IdP. Then you can see exactly what key you need to use, it's probably been mapped to a more human readable key name like 'userPrincipalName'
What I got back was (actual email and name removed):
Authed!
array(4) {
["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]=>
array(1) {
[0]=>
string(22) "email@email.email"
}
["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]=>
array(1) {
[0]=>
string(6) "firstname"
}
["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]=>
array(1) {
[0]=>
string(5) "lastname"
}
["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]=>
array(1) {
[0]=>
string(22) "email@email.email"
}
}
That means it should be "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" right?
Thanks for the quick response,
Rob
Yes, thats correct. So this is just a validation thing on the key name by the looks of it. What version of moodle you on? And are you trying to map this to a user profile field or the idpattr admin setting?
If you are on moodle 3.3 try doing a quick hack of this file and see if it solves the issue:
diff --git a/settings.php b/settings.php
index fd18bcc..e793043 100644
--- a/settings.php
+++ b/settings.php
@@ -127,7 +127,7 @@ if ($ADMIN->fulltree) {
'auth_saml2/idpattr',
get_string('idpattr', 'auth_saml2'),
get_string('idpattr_help', 'auth_saml2'),
- '', PARAM_ALPHANUMEXT));
+ '', PARAM_RAW));
// Moodle Field.
$fields = array(We're on Moodle 3.3.
I changed the code on our dev site and it's accepting the input now so that's looking hopeful but I'll have to wait until I can speak next week with the guy that manages our ADFS system about setting up the connection with our dev site so we can see if the connection between the two works now as a result.
It works! We have a working login now for SAML2 profiles on Moodle.
The mapping is throwing the same invalid input for the schema url though.
Is there another line I need to find and change to make this work too?
Which exact setting? Got a screen shot? It should be a 1 liner once you track it down. The only potential hitch could be if it is inside the field mappings which is added by core and not this plugin. If that is the case then it will be a moodle core change.
Alternatively you could reconfigure ADFS to send a simplified or mapped field key name instead
The fields we are trying to map are first name, surname and email address.
I've seen people use the urls in the forums on previous versions of the plugin so I think it's something that's changed in the recent versions?
Yeah that is going to be a core change here:
https://github.com/moodle/moodle/blob/master/lib/authlib.php#L1038
If you feel inclined you could log this in the core tracker and provide a patch for that. It's probably still more pragmatic to reconfigure adfs to just return 'emailaddress' as the key instead of the full schema string
Hi Brendan,
Thanks for that. I'll go back the guy that is responsible for our ADFS and see if he can do that then. He seemed to think he couldn't do it that way before.
Cheers,
Rob
@rjapayne another perhaps better alternative is that this plugin re-maps all the schema's to nicer simple strings before using them. Simplesamlphp supports a bunch of mappings, but this plugin needs to be told to use them. I think the mappng you want is this one:
But this plugin is hard coded to use the 'oid2name' mapping here:
https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_33PLUS/config/config.php#L83
So you can try just changing that. It would also be nicer if that got turned into an admin setting in this plugin so pull requests welcome if you feel up to that.
Thanks @brendanheywood. Issues now appear resolved after creating some custom claims rules for attribute mapping.
Rule looks something like this;
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("givenname", "windowsaccountname", "surname", "emailaddress", "serialnumber"), query = ";givenName,sAMAccountName,sn,mail,employeeID;{0}", param = c.Value);
As opposed to what we were using before;
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber"), query = ";givenName,sAMAccountName,sn,mail,employeeID;{0}", param = c.Value);
Thanks.
Great stuff, I've renamed this issue to help others having the same issue and I'll close this
FYI I've just raised a tracker to fix this in core and will supply a patch shortly. Any watchers please feel free to go vote for that: