diff --git a/README.textile b/README.textile index 33fb574..a8902ca 100644 --- a/README.textile +++ b/README.textile @@ -1,3 +1,5 @@ +_this fork is onelogin modifications of:_ + h1. Redmine OmniAuth SAML plugin This plugins adds SAML authentication support for "Redmine":http://www.redmine.org thanks to the "OmniAuth authentication framework":https://github.com/intridea/omniauth and specially thanks to "Redmine Omniauth CAS Plugin":https:https://github.com/jbbarth/redmine_omniauth_cas. diff --git a/config/locales/en.yml b/config/locales/en.yml index cbcb81b..1ca9e21 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -6,3 +6,4 @@ en: text_full_logout_proposal: You may want to %{value} before trying an other username. text_logout_from_saml: close SSO session label_onthefly_creation: Create users automatically? + error_saml_invalid_ticket: Invalid SAML authentication ticket diff --git a/config/routes.rb b/config/routes.rb index 831256b..13aef36 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -2,4 +2,7 @@ match '/auth/failure' => 'account#login_with_saml_failure', via: [:get, :post] match '/auth/:provider/callback' => 'account#login_with_saml_callback', via: [:get, :post] match '/auth/:provider' => 'account#login_with_saml_redirect', as: :sign_in, via: [:get, :post] +# post '/auth/:provider/consume' => redirect { |params, request| "/auth/saml/callback?#{request.params.to_query}"} + post '/auth/:provider/consume' => redirect { "/auth/saml" } end + diff --git a/config/routes.rb~ b/config/routes.rb~ new file mode 100644 index 0000000..5628318 --- /dev/null +++ b/config/routes.rb~ @@ -0,0 +1,6 @@ +RedmineApp::Application.routes.draw do + match '/auth/failure' => 'account#login_with_saml_failure', via: [:get, :post] + match '/auth/:provider/callback' => 'account#login_with_saml_callback', via: [:get, :post] + match '/auth/:provider' => 'account#login_with_saml_redirect', as: :sign_in, via: [:get, :post] + match '/auth/:provider/consume' => 'account#login_with_saml_redirect', as: :sign_in, via: [:get, :post] +end diff --git a/lib/redmine_omniauth_saml/account_controller_patch.rb b/lib/redmine_omniauth_saml/account_controller_patch.rb index 77fa963..fb31293 100644 --- a/lib/redmine_omniauth_saml/account_controller_patch.rb +++ b/lib/redmine_omniauth_saml/account_controller_patch.rb @@ -149,7 +149,9 @@ def sp_logout_request logout_request = OneLogin::RubySaml::Logoutrequest.new session[:transaction_id] = logout_request.uuid logger.info "New SP SLO for userid '#{User.current.login}' transactionid '#{session[:transaction_id]}'" - + + # perform the actual logout + saml_logout_user settings[:name_identifier_value] ||= name_identifier_value relay_state = home_url # url_for controller: 'saml', action: 'index' diff --git a/lib/redmine_omniauth_saml/user_patch.rb b/lib/redmine_omniauth_saml/user_patch.rb index ca8d381..addabae 100644 --- a/lib/redmine_omniauth_saml/user_patch.rb +++ b/lib/redmine_omniauth_saml/user_patch.rb @@ -5,14 +5,18 @@ class User def self.find_or_create_from_omniauth(omniauth) user_attributes = Redmine::OmniAuthSAML.user_attributes_from_saml omniauth + Rails.logger.info "bobo" + user_attributes.inspect user = self.find_by_login(user_attributes[:login]) unless user user = EmailAddress.find_by(address: user_attributes[:mail]).try(:user) if user.nil? && Redmine::OmniAuthSAML.onthefly_creation? - user = new user_attributes + user = User.new(:status => 1, :language => Setting.default_language) +# user = new user_attributes + user.mail = user_attributes[:mail] + user.firstname = user_attributes[:firstname] + user.lastname = user_attributes[:lastname] user.created_by_omniauth_saml = true - user.login = user_attributes[:login] - user.language = Setting.default_language + user.login = omniauth.uid #this is onelogin specific probably user.activate user.save! user.reload diff --git a/sample-onelogin-initializer.rb b/sample-onelogin-initializer.rb new file mode 100644 index 0000000..79436d0 --- /dev/null +++ b/sample-onelogin-initializer.rb @@ -0,0 +1,27 @@ + +Redmine::OmniAuthSAML::Base.configure do |config| + config.saml = { +# :assertion_consumer_service_url => "http://yourcompany.redminegit.com/auth/saml/callback", # OmniAuth callback URL + :assertion_consumer_service_url => "http://yourcompany.redminegit.com/auth/saml/consume", # OmniAuth callback URL + :issuer => "https://app.onelogin.com/saml/metadata/123456", # The issuer name / entity ID. Must be an URI as per SAML 2.0 s$ + :idp_sso_target_url => "https://acosonic.onelogin.com/trust/saml2/http-post/sso/123456", # SSO login endpoint + :idp_cert_fingerprint => "AA:AA:AA:AA:AA:E0:FB:E6:E0:38:BA:6A:6A:FA:DA:2D:03:05:2B:94", # SSO ssl certificate fingerprint + # Alternatively, specify the full certifiate: + #:idp_cert => "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", + :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", + :signout_url => "https://yourcomp.onelogin.com/trust/saml2/http-redirect/slo/123456", # Optional signout URL, not supported by all identity provide$ + :idp_slo_target_url => "https://yourcomp.onelogin.com/trust/saml2/http-redirect/slo/123456", + :name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout + :attribute_mapping => { + # How will we map attributes from SSO to redmine attributes + :login => 'extra.raw_info.username', + :mail => 'extra.raw_info.email', + :firstname => 'extra.raw_info.firstname', + :lastname => 'extra.raw_info.lastname' + } + } + + config.on_login do |omniauth_hash, user| + # Implement any hook you want here + end +end