JIT Error: Unable to create user because missing claims (emailaddress)

Question

JIT Error: Unable to create user because missing claims (emailaddress)

Antcares opened this issue 2 years ago · comments

Hello! I have configured the plugin in GLPI 9.5.9 and is functioning properly, but i am having this error when JIT is enabled and the user don't exist in GLPI:

My IdP is keycloak, and i have created a mapper named emailaddress for send the email in te response (i attach the SAML file). Any help is appreciated.

Derrick Smith · Answer 1 · Thu Nov 17 2022 12:49:22 GMT+0800 (China Standard Time)

I took a look at phpsaml.class.php on line 84 and noticed that JIT requires both name and emailaddress to create the user.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

I updated the error message to check which claim is missing.

$missing = (empty(SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0]) ? 'name' : 'emailaddress');
$error = "JIT Error: Unable to create user because missing claims ($missing)";

Loz-001 · Answer 2 · Wed Dec 07 2022 23:47:13 GMT+0800 (China Standard Time)

Hello, working with GLPI 10.0.5 and this wonderfull plugin :)
I'm having the same error using SAML2 federation.

I comment this in phpsaml.class.php (line 84)

// if ((!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0])) && (!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]))){

replace by :

if ((!empty(self::$userdata['name'][0])) && (!empty(self::$userdata['emailaddress'][0]))){

as $userdata is an array.

And also line 90-93 comment this :

// "name" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0],
// "realname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0],
// "firstname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname'][0],
// "_useremails" => array(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]),

by

"name" => self::$userdata['name'][0],
"realname" => self::$userdata['lastname'][0],
"firstname" => self::$userdata['firstname'][0],
"_useremails" => array(self::$userdata['emailaddress'][0]),

I'va been able to JIT provisionning a new user and map some attributes (email, firstname realname and Login Name)

Best regards

Laurent

Fernando Dias da Silva · Answer 3 · Wed Feb 15 2023 09:01:38 GMT+0800 (China Standard Time)

Good night everybody!!!!

This

Hello, working with GLPI 10.0.5 and this wonderfull plugin :) I'm having the same error using SAML2 federation.

I comment this in phpsaml.class.php (line 84)

// if ((!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0])) && (!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]))){

replace by :

if ((!empty(self::$userdata['name'][0])) && (!empty(self::$userdata['emailaddress'][0]))){

as $userdata is an array.

And also line 90-93 comment this :
// "name" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0],
// "realname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0],
// "firstname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname'][0],
// "_useremails" => array(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]),
by
"name" => self::$userdata['name'][0],
"realname" => self::$userdata['lastname'][0],
"firstname" => self::$userdata['firstname'][0],
"_useremails" => array(self::$userdata['emailaddress'][0]),
I'va been able to JIT provisionning a new user and map some attributes (email, firstname realname and Login Name)

Best regards

Laurent
THanks, i do this in code and Gsuite authentication worked, i have one question, if we need mapping other attributes, it's possible?

Loz-001 · Answer 4 · Wed Feb 15 2023 20:02:23 GMT+0800 (China Standard Time)

Sorry, I've not been able to map other attributes yet.

I would like to have at least the phone number to be mapped. If someone knows how-to add it :)

Laurent

Fernando Dias da Silva · Answer 5 · Fri Feb 24 2023 01:08:17 GMT+0800 (China Standard Time)

@derricksmith, can you help us with this?

Thanks :)

DonutsNL · Answer 6 · Tue May 30 2023 15:36:45 GMT+0800 (China Standard Time)

Todo: Add additional JIT validations to phpsaml.class.php : private static function performJit($relayState)

DonutsNL · Answer 7 · Fri Jun 30 2023 18:32:25 GMT+0800 (China Standard Time)

Should be solved in my latest branch.

jbtele29 · Answer 8 · Tue Jul 11 2023 00:05:07 GMT+0800 (China Standard Time)

Hello,
I always have this problem with a specific user.
I tried 1.3.0 version @DonutsNL fork but i still have a problem with this user

2023-07-10 17:58:34 [@XXXXXXXXX]
JIT Error: Unable to create user because missing claims (emailaddress)
2023-07-10 17:58:34 [@xxxxxxxx]

JIT Error: Unable to create user because missing claims (emailaddress)

[2023-07-10 17:58:34] glpiphplog.WARNING: *** PHP Warning (2): Undefined global variable $_POST in /var/www/html/glpi/src/Application/View/TemplateRenderer.php at line 120

Backtrace :
src/Application/View/TemplateRenderer.php:135 Glpi\Application\View\TemplateRenderer->__construct()
src/Html.php:1296 Glpi\Application\View\TemplateRenderer::getInstance()
src/Html.php:2026 Html::includeHeader()
plugins/phpsaml/front/acs.php:62 Html::nullHeader()
public/index.php:82 require()

thanks

DonutsNL · Answer 9 · Tue Jul 11 2023 06:20:07 GMT+0800 (China Standard Time)

Hi,

It looks like no (valid or complete) saml response is received by the acs. Make sure all claims are present in the samlresponse including the missing field email. The $_POST message can be ignored. The plugin captures the post before GLPI can process it and then clears it. Clearing the POST causes the warning you are seeing.

jbtele29 · Answer 10 · Tue Jul 11 2023 16:16:48 GMT+0800 (China Standard Time)

Hello,

I think that the configuration on the adfs is not good but other users don't have sso problems when they test.
I have this claims on adfs

DonutsNL · Answer 11 · Tue Jul 11 2023 16:25:14 GMT+0800 (China Standard Time)

Hi @jbtele29,

It is not possible for us to understand and support all idp tools out there that support Saml. Instead you should debug the Saml response and tweak it if required. Debugging is possible if you use the latest version of my branch you can actually dump the samlresponse and review it to see what is going wrong. To dump the responses:

create a folder 'debug' inside the plugin directory;
enable debug in the phpsaml config page;
Replay the login, this should create a .php file in the debug folder.
Open the dumped .php file to review the SamlResponse provided;
It should have the missing claim:

  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

jbtele29 · Answer 12 · Tue Jul 11 2023 16:46:03 GMT+0800 (China Standard Time)

Hello; i have a blank page when i use sso
in debug.php i have [decryptedDocument] => DOMDocument Object ( [config] => [doctype] => [implementation] => (object value omitted) [documentElement] => (object value omitted) [actualEncoding] => [encoding] => [xmlEncoding] => [standalone] => 1 [xmlStandalone] => 1 [version] => 1.0 [xmlVersion] => 1.0 [strictErrorChecking] => 1 [documentURI] => /var/www/html/glpi/plugins/phpsaml/front/ [formatOutput] => [validateOnParse] => [resolveExternals] => [preserveWhiteSpace] => 1 [recover] => [substituteEntities] => [firstElementChild] => (object value omitted) [lastElementChild] => (object value omitted) [childElementCount] => 1 [nodeName] => #document [nodeValue] => [nodeType] => 9 [parentNode] => [childNodes] => (object value omitted) [firstChild] => (object value omitted) [lastChild] => (object value omitted) [previousSibling] => [nextSibling] => [attributes] => [ownerDocument] => [namespaceURI] => [prefix] => [localName] => [baseURI] => /var/www/html/glpi/plugins/phpsaml/front/

DonutsNL · Answer 13 · Tue Jul 11 2023 17:10:59 GMT+0800 (China Standard Time)

Hi @jbtele29,
You misunderstand. Using my latest version (from the DonutsNL branch). In the phpsaml configuration page accessible via the plugin page, there is a 'debug' toggle just for phpsaml. Enable that and save the phpsaml configuration. Next manually create a new folder in the GLPI_ROOT/plugins/phpsaml/ directory called 'debug.' i.e. "GLPI_ROOT/plugins/phpsaml/debug" or if you used the marketplace "GLPI_ROOT/marketplace/phpsaml/debug".

After these steps login again. The plugin should now have dumped the received samlResponse. Review this file to verify all the claims are provided using the required namespaces. Tweak your confguration to make sure the required namespaces are available. Then logging in using JIT should work correctly.

Do not share the samlResponse contents and do remove the debug folder after you are done.

jbtele29 · Answer 14 · Tue Jul 11 2023 17:39:13 GMT+0800 (China Standard Time)

Hello ,
Yes i have samlreponse in debug folder and i used your for branch

but when i clikc for login, nothing change and i come back to login again
in dump i had same info from your deleted dump in your branch

jbtele29 · Answer 15 · Tue Jul 11 2023 18:18:24 GMT+0800 (China Standard Time)

Hi,
I found the problem
i imported test accounts on glpi with a different login but the same email as my main account so that was the problem
I deleted the emails on my test accounts in ad and deleted the test accounts in glpi and now everything works as before.
thanks

DonutsNL · Answer 16 · Tue Jul 11 2023 18:23:10 GMT+0800 (China Standard Time)

hi @jbtele29,

I am glad you found and fixed the problem. And your feedback is also very usefull. It is true that currently the user creation proces itself is not properly evaluated. Problems during creation are not handled properly. This needs to be handled as well. Ill create a new issue for this problem.