phpipam icon indicating copy to clipboard operation
phpipam copied to clipboard
verified publisher icon phpipam

Azure AD SAML Auth

Open jboileau99 opened this issue 5 years ago • 16 comments

Hi,

I'm trying to setup SAML auth through Azure AD. Is there any documentation on this? I saw this but sadly that is in German.

Thanks

jboileau99 avatar Apr 22 '20 17:04 jboileau99

Any luck with the setup?

I have followed this guide https://www.booches.nl/2020/05/phpipam-azure-and-saml-authentication/ But... In Azure the login is a success but on the phpipam side I get a blank page with "invalid_response" and nothing in Tools>Log Files...

PHP Version 7.4.3 phpipam 1.4.1

elhiss avatar Jan 05 '21 10:01 elhiss

Hello @elhiss There's an updated SAML plugin in the master branch (v1.50). Also includes a debugging option which displays the reason for failure.

image

GaryAllan avatar Jan 05 '21 11:01 GaryAllan

@GaryAllan Thank you for the info! will update and see if I can get it to work.

elhiss avatar Jan 07 '21 07:01 elhiss

After update to master branch the error messages was a bit easier to understand, since it wasnt just "invalid_response" I had wrong format on the certificate, reentered it and now Single Sign On via Azure works. 👌

FYI I followed this guide except downloading the Base64 cert for the thumbprint. Instead I downloaded the Federation Metadata XML and extracted the x.509 cert from there.

Skärmbild 2021-01-07 115203

Skärmbild 2021-01-07 131249

elhiss avatar Jan 07 '21 12:01 elhiss

I cannot get this working even with the above. any further updates to this issue?

mark88d avatar Sep 15 '22 16:09 mark88d

@mark88d: as per 1.5 certificate name is the (unencoded) certificate identifier is just some unique value wich should be the same in AAD Saml username should be the complete mapping as found in aad atribute Finally, you might need to change the attribute value for display_name and email (in aad) image

BerendvW avatar Nov 02 '22 13:11 BerendvW

thanks @BerendvW thats great, worked

@mark88d: as per 1.5 certificate name is the (unencoded) certificate identifier is just some unique value wich should be the same in AAD Saml username should be the complete mapping as found in aad atribute Finally, you might need to change the attribute value for display_name and email (in aad) image

mark88d avatar Nov 02 '22 16:11 mark88d

Anyone got this working with PHPipam 1.5.2 and AzureAD? The documentation is not good enough for this to be a straight forward setup, I'm currently stuck at a 403 forbidden error during POST to https://phpipam_uri/saml2/

joakimlemb avatar Apr 17 '23 20:04 joakimlemb

@joakimlemb, I got that working yesterday, following the guide @elhiss posted and then made sure that my claims on the Enterprise App was correct. Here's my working config. Hope that helps.

image image

gnilronm avatar Apr 25 '23 06:04 gnilronm

@gnilronm I'm not sure what was wrong but I just redid the entire config and made sure it matched yours, and it works now. Thank you.

Can't figure out JIT yet, but at least we can login with pre-provisioned users.

JIT error: Mandatory SAML JIT attribute missing : display_name (string)

Claims: image001

joakimlemb avatar Apr 25 '23 08:04 joakimlemb

@gnilronm I'm not sure what was wrong but I just redid the entire config and made sure it matched yours, and it works now. Thank you.

Can't figure out JIT yet, but at least we can login with pre-provisioned users.

JIT error: Mandatory SAML JIT attribute missing : display_name (string)

Claims: image001

You need to make sure that you are adding the additional claims that JIT is expecting.

image

vivek-skumar avatar May 12 '23 13:05 vivek-skumar

@vivek-skumar @elhiss @GaryAllan Based on those attributes, how does it know if a user should be admin or normal user? Can this setup automatically provision the user in phpIPAM, instead of manually creating the user first?

vadaszgergo avatar Feb 08 '24 15:02 vadaszgergo

https://github.com/phpipam/phpipam/blob/master/doc/Authentication/SAML2.md

See JIT and 'is_admin' attribute.

GaryAllan avatar Feb 08 '24 15:02 GaryAllan

@gnilronm I'm not sure what was wrong but I just redid the entire config and made sure it matched yours, and it works now. Thank you.

Can't figure out JIT yet, but at least we can login with pre-provisioned users.

JIT error: Mandatory SAML JIT attribute missing : display_name (string)

Claims: image001

I tried following this with Debugging on, I simply get a white page with: "Invalid username or password"

I am not prompted for a 2FA code like I normally would though. Is that the issue?

Anyone9060 avatar Jun 28 '24 19:06 Anyone9060

I just got a new account working. I had to make a new user with "username" in IPAM that matches the UPN in Entra ID/AD.

Prior to this, all users were AD integrated and their "Username" in IPAM was simply "username" and not "[email protected]"

  • I was not able to modify an existing users, username in IPAM to add the @domain.com portion.
  • ensure during all this testing you didn't inadvertently exclude yourself from MFA requirements. I found that out, and once corrected, MFA in M365 also worked during the SAML login.

Is there a way to convert existing AD users to SAML users? I can easily change the drop down for authentication, but I can't seem to change the usernames once they are already created.

Anyone9060 avatar Jun 28 '24 20:06 Anyone9060

linking #2281, as I found some issues if we try to convert from LDAP integrated accounts to SAML accounts.

Anyone9060 avatar Jul 05 '24 17:07 Anyone9060