Project

General

Profile

Forums » Plugins »

AlphaNodes GmbH "Redmine SAML" plugin does not take into account "admin" attibute

Added by Nicolas Metters about 1 year ago

Hi

Techinal context:

I've managed to configure the plugin and client to properly create user and log in.

However I would like to have the ability for user to be created as Redmine Administrators when the proper Group or Role is set in Keycloak.
The plugin seem to be able to:
- in the initializer there is reference to attribute "admin"
- in redmine_saml/lib/redmine_saml/patches/user_patch.rb that "admin" attribute is supposed to be used

I've checked the SAML response sent by Keycloak:

<saml:AttributeStatement>
<saml:Attribute FriendlyName="Email address" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jeanroger.caussimon@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="Given name" Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Jean Roger</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="admin" Name="admin" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">true</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="Full name" Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jeanroger.caussimon</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="Family name" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Caussimon</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default-roles-keycloak</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

However, my tests show that the value is in fact not taken into account or at least not pushed to Redmine.

My tests:
  1. in the "user_patch.rb" file, I've added a block after the user creation:
    
          if user_attributes[:firstname].present?
            user.firstname = 'Nicolas'
            user.save!
            user.reload
          end

    SAML log in works and the user has the firstname Nicolas.
    Meaning that this method works to update values after initial user creation.
  2. in the "user_patch.rb" file, I've added a block:
    
          if user_attributes[:firstname].present?
            user.firstname = user_attributes[:admin]
            user.save!
            user.reload
          end

    Reloaded Redmine and SAML log-in fails:
    <quote>ActiveRecord::RecordInvalid (Validation failed: Firstname can't be empty)):

plugins/redmine_saml/lib/redmine_saml/patches/user_patch.rb:40:in `find_or_create_from_omniauth'
plugins/redmine_saml/lib/redmine_saml/patches/account_controller_patch.rb:33:in `login_with_saml_callback'</quote>

And checking the SAML logs on Redmine's side and the Redmine metadata, there are no SAML attribute other than those defined by OmniAuth so no "admin" attribute.

Has anyone managed to create an admin through the SAML plugin ?

Regards
Nicolas


Replies (3)

RE: AlphaNodes GmbH "Redmine SAML" plugin does not take into account "admin" attibute - Added by Nicolas Metters about 1 year ago

Nevermind:

plugins/redmine_saml/lib/redmine_saml/base.rb

<quote>      def required_attribute_mapping

        %i[login firstname lastname mail]
      end
</quote>

Updated to:

<quote>      def required_attribute_mapping

        %i[login firstname lastname mail admin]
      end
</quote>

And all works well.

RE: AlphaNodes GmbH "Redmine SAML" plugin does not take into account "admin" attibute - Added by Nicolas Metters about 1 year ago

Please note that having made "admin" a requested attribute means that all user must send a value: true/false

Otherwise, you will have errors:

<quote>
I, [2023-11-16T04:33:51.272633 #1]  INFO -- : SAML onthefly user creation for: jeanroger.caussimon@nicksopenworld.com
I, [2023-11-16T04:33:51.292009 #1]  INFO -- : Completed 500 Internal Server Error in 30ms (ActiveRecord: 14.1ms | Allocations: 7249)
F, [2023-11-16T04:33:51.293051 #1] FATAL -- :
ActiveRecord::NotNullViolation (PG::NotNullViolation: ERROR:  null value in column "admin" of relation "users" violates not-null constraint
DETAIL:  Failing row contains (84, jeanroger.caussimon, , Jean Roger, Caussimon, null, 1, null, en, null, 2023-11-16 04:33:51.28808, 2023-11-16 04:33:51.28808, User, only_my_events, null, f, null, null, null, null, f, t).
):

plugins/redmine_saml/lib/redmine_saml/patches/user_patch.rb:28:in `find_or_create_from_omniauth'
plugins/redmine_saml/lib/redmine_saml/patches/account_controller_patch.rb:33:in `login_with_saml_callback'
</quote>

Either set up a SAML attribute false or have the system set admin to 'false' if missing.
To do that, update the "onthefly_creation" block in:
/redmine_saml/lib/redmine_saml/patches/user_patch.rb

To:
if user.nil? && RedmineSaml.onthefly_creation? && user_attributes[:mail].present? Rails.logger.info "SAML onthefly user creation for: #{user_attributes[:mail]}" user = new user_attributes user.created_by_omniauth_saml = true user.login = user_attributes[:login].presence || user_attributes[:mail] user.language = Setting.default_language user.activate if user_attributes[:admin].present? user.admin = user_attributes[:admin] else user.admin = 'false' end user.save! user.reload end

https://github.com/nicolasmetters/redmine_saml

    (1-3/3)