phpsaml icon indicating copy to clipboard operation
phpsaml copied to clipboard
verified publisher icon derricksmith

JIT Error: Unable to create user because missing claims (emailaddress)

Open Antcares opened this issue 3 years ago • 16 comments

Hello! I have configured the plugin in GLPI 9.5.9 and is functioning properly, but i am having this error when JIT is enabled and the user don't exist in GLPI:

JIT Error: Unable to create user because missing claims (emailaddress)

My IdP is keycloak, and i have created a mapper named emailaddress for send the email in te response (i attach the SAML file). Any help is appreciated. SAML_response

Antcares avatar Oct 05 '22 15:10 Antcares

I took a look at phpsaml.class.php on line 84 and noticed that JIT requires both name and emailaddress to create the user.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

I updated the error message to check which claim is missing.

$missing = (empty(SELF::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0]) ? 'name' : 'emailaddress'); $error = "JIT Error: Unable to create user because missing claims ($missing)";

derricksmith avatar Nov 17 '22 04:11 derricksmith

Hello, working with GLPI 10.0.5 and this wonderfull plugin :) I'm having the same error using SAML2 federation.

I comment this in phpsaml.class.php (line 84)

// if ((!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0])) && (!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]))){

replace by :

if ((!empty(self::$userdata['name'][0])) && (!empty(self::$userdata['emailaddress'][0]))){

as $userdata is an array.

And also line 90-93 comment this :

// "name" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0],
// "realname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0],
// "firstname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname'][0],
// "_useremails" => array(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]),

by

"name" => self::$userdata['name'][0],
"realname" => self::$userdata['lastname'][0],
"firstname" => self::$userdata['firstname'][0],
"_useremails" => array(self::$userdata['emailaddress'][0]),

I'va been able to JIT provisionning a new user and map some attributes (email, firstname realname and Login Name)

Best regards

Laurent

Loz-001 avatar Dec 07 '22 15:12 Loz-001

Good night everybody!!!!

This

Hello, working with GLPI 10.0.5 and this wonderfull plugin :) I'm having the same error using SAML2 federation.

I comment this in phpsaml.class.php (line 84)

// if ((!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0])) && (!empty(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]))){

replace by :

if ((!empty(self::$userdata['name'][0])) && (!empty(self::$userdata['emailaddress'][0]))){

as $userdata is an array.

And also line 90-93 comment this :

// "name" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0],
// "realname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0],
// "firstname" => self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname'][0],
// "_useremails" => array(self::$userdata['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]),

by

"name" => self::$userdata['name'][0],
"realname" => self::$userdata['lastname'][0],
"firstname" => self::$userdata['firstname'][0],
"_useremails" => array(self::$userdata['emailaddress'][0]),

I'va been able to JIT provisionning a new user and map some attributes (email, firstname realname and Login Name)

Best regards

Laurent THanks, i do this in code and Gsuite authentication worked, i have one question, if we need mapping other attributes, it's possible?

SilvaFernando avatar Feb 15 '23 01:02 SilvaFernando

Sorry, I've not been able to map other attributes yet.

I would like to have at least the phone number to be mapped. If someone knows how-to add it :)

Laurent

Loz-001 avatar Feb 15 '23 12:02 Loz-001

@derricksmith, can you help us with this?

Thanks :)

SilvaFernando avatar Feb 23 '23 17:02 SilvaFernando

Todo: Add additional JIT validations to phpsaml.class.php : private static function performJit($relayState)

DonutsNL avatar May 30 '23 07:05 DonutsNL

Should be solved in my latest branch.

DonutsNL avatar Jun 30 '23 10:06 DonutsNL

Hello, I always have this problem with a specific user. I tried 1.3.0 version @DonutsNL fork but i still have a problem with this user

2023-07-10 17:58:34 [@xxxxxxxxx] JIT Error: Unable to create user because missing claims (emailaddress) 2023-07-10 17:58:34 [@xxxxxxxx]

JIT Error: Unable to create user because missing claims (emailaddress)

[2023-07-10 17:58:34] glpiphplog.WARNING: *** PHP Warning (2): Undefined global variable $_POST in /var/www/html/glpi/src/Application/View/TemplateRenderer.php at line 120

Backtrace : src/Application/View/TemplateRenderer.php:135 Glpi\Application\View\TemplateRenderer->__construct() src/Html.php:1296 Glpi\Application\View\TemplateRenderer::getInstance() src/Html.php:2026 Html::includeHeader() plugins/phpsaml/front/acs.php:62 Html::nullHeader() public/index.php:82 require()

thanks

jbtele29 avatar Jul 10 '23 16:07 jbtele29

Hi,

It looks like no (valid or complete) saml response is received by the acs. Make sure all claims are present in the samlresponse including the missing field email. The $_POST message can be ignored. The plugin captures the post before GLPI can process it and then clears it. Clearing the POST causes the warning you are seeing.

DonutsNL avatar Jul 10 '23 22:07 DonutsNL

Hello,

I think that the configuration on the adfs is not good but other users don't have sso problems when they test. I have this claims on adfs image

jbtele29 avatar Jul 11 '23 08:07 jbtele29

Hi @jbtele29,

It is not possible for us to understand and support all idp tools out there that support Saml. Instead you should debug the Saml response and tweak it if required. Debugging is possible if you use the latest version of my branch you can actually dump the samlresponse and review it to see what is going wrong. To dump the responses:

  1. create a folder 'debug' inside the plugin directory;
  2. enable debug in the phpsaml config page;
  3. Replay the login, this should create a .php file in the debug folder.
  4. Open the dumped .php file to review the SamlResponse provided;
  5. It should have the missing claim:
  6.   http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

DonutsNL avatar Jul 11 '23 08:07 DonutsNL

Hello; i have a blank page when i use sso in debug.php i have [decryptedDocument] => DOMDocument Object ( [config] => [doctype] => [implementation] => (object value omitted) [documentElement] => (object value omitted) [actualEncoding] => [encoding] => [xmlEncoding] => [standalone] => 1 [xmlStandalone] => 1 [version] => 1.0 [xmlVersion] => 1.0 [strictErrorChecking] => 1 [documentURI] => /var/www/html/glpi/plugins/phpsaml/front/ [formatOutput] => [validateOnParse] => [resolveExternals] => [preserveWhiteSpace] => 1 [recover] => [substituteEntities] => [firstElementChild] => (object value omitted) [lastElementChild] => (object value omitted) [childElementCount] => 1 [nodeName] => #document [nodeValue] => [nodeType] => 9 [parentNode] => [childNodes] => (object value omitted) [firstChild] => (object value omitted) [lastChild] => (object value omitted) [previousSibling] => [nextSibling] => [attributes] => [ownerDocument] => [namespaceURI] => [prefix] => [localName] => [baseURI] => /var/www/html/glpi/plugins/phpsaml/front/

jbtele29 avatar Jul 11 '23 08:07 jbtele29

Hi @jbtele29, You misunderstand. Using my latest version (from the DonutsNL branch). In the phpsaml configuration page accessible via the plugin page, there is a 'debug' toggle just for phpsaml. Enable that and save the phpsaml configuration. Next manually create a new folder in the GLPI_ROOT/plugins/phpsaml/ directory called 'debug.' i.e. "GLPI_ROOT/plugins/phpsaml/debug" or if you used the marketplace "GLPI_ROOT/marketplace/phpsaml/debug".

After these steps login again. The plugin should now have dumped the received samlResponse. Review this file to verify all the claims are provided using the required namespaces. Tweak your confguration to make sure the required namespaces are available. Then logging in using JIT should work correctly.

Do not share the samlResponse contents and do remove the debug folder after you are done.

DonutsNL avatar Jul 11 '23 09:07 DonutsNL

Hello , Yes i have samlreponse in debug folder and i used your for branch image but when i clikc for login, nothing change and i come back to login again in dump i had same info from your deleted dump in your branch

jbtele29 avatar Jul 11 '23 09:07 jbtele29

Hi, I found the problem i imported test accounts on glpi with a different login but the same email as my main account so that was the problem I deleted the emails on my test accounts in ad and deleted the test accounts in glpi and now everything works as before. thanks

jbtele29 avatar Jul 11 '23 10:07 jbtele29

hi @jbtele29,

I am glad you found and fixed the problem. And your feedback is also very usefull. It is true that currently the user creation proces itself is not properly evaluated. Problems during creation are not handled properly. This needs to be handled as well. Ill create a new issue for this problem.

DonutsNL avatar Jul 11 '23 10:07 DonutsNL