Hi All,
I’m pretty close to getting SAML functioning, but the callback seems to be slightly broken and I’m kind of stuck…
I get the callback to: https:///auth/saml2/callback and am presented with Whoops, looks like something went wrong. Check your librenms.log…
I tail the librenms log and this is what I see during the callback:
Unknown binding type ‘’ {“exception”:“[object] (LightSaml\Error\LightSamlBindingException(code: 0): Unknown binding type ‘’ at /opt/librenms/vendor/litesaml/lightsaml/src/Binding/BindingFactory.php:75)”}
Below is my provider configuration:
{
“redirect”: true,
“register”: true,
“configs”: {
“saml2”: {
“metadata”: “https://login.microsoftonline.com/12b927cf-1be7-4fa2-a67f-5de9d52f96de/federationmetadata/2007-06/federationmetadata.xml?appid=a1661021-0eea-4536-a476-83f58c9bc26c”,
“sp_default_binding_method”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”,
“listener”: “\SocialiteProviders\Saml2\Saml2ExtendSocialite”
}
}
}
********** UPDATE ************
Aright, so it appears that this just impacts the Chrome browser… I’ve cleared cache, restarted browser, all the normal browser-ish things to do but still occurs.
Firefox and Safari (on a MAC) do not seem to exhibit this behavior.
I’m having a similar issue, did you configure the SSO settings within config.php?
I have similar issues with all browser. librenms.log says:
{"exception":"[object] (Laravel\\Socialite\\Two\\InvalidStateException(code:0): at /opt/librenms/vendor/socialiteproviders/saml2/Provider.php:578)"}
If I set SESSION_SAME_SITE_COOKIE=none, all browsers except Chrome is working correctly. If SESSION_SAME_SITE_COOKIE=none Chrome will just show a “419 Expired” page when pressing the “Login wit Saml2” button.
Also it seems that none of the attributes are accepted (when logging in via Firefox)
Does anyone successfully configured SAML2 (maybe with LemonLDAP)?
I was having similar problem - the first saml2 login worked, if you logged out then you get a blank page with no login box.
I fixed it by leaving the default login as mysql and turning off the redirect on the saml2 settings.
now I get a login box with a saml2 login button and that works
Hi @routerfixer ,
May I know how did you manage to get the certificate part working? When I use a .cer or .crt file I get the following error:
“Cannot use a scalar value as an array”
And when I use .pem I get:
The “-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQRWuqb10ANoJDalud3ifNWzANBgkqhkiG9w0BAQsFADA0…
-----END CERTIFICATE-----” option does not exist.
I’ve followed the steps and maybe I made a rookie mistake somewhere there?
lnms plugin:add socialiteproviders/saml2
lnms config:set auth.socialite.configs.saml2.acs https://login.microsoftonline.com/CLIENT_ID_HERE/saml2
lnms config:set auth.socialite.configs.saml2.entityid https://sts.windows.net/CLIENT_ID_HERE/
lnms config:set auth.socialite.configs.saml2.listener “\SocialiteProviders\Saml2\Saml2ExtendSocialite”
lnms config:set auth.socialite.configs.saml2.sp_default_binding_method urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
lnms config:set auth.socialite.configs.saml2.metadata “$(cat LibreNMS.xml)”
lnms config:set auth.socialite.configs.saml2.certificate “$(cat LibreNMS.pem)”
lnms config:clear
I appreciate your help in advance!
Kind regards,
Adrian
Hi,
Here is my config with the private data truncated with …
I tried to load the cert from a file but could not get it to work, as you can see i just put the certificate string in the config directly all in one long line
lnms plugin:add socialiteproviders/saml2
lnms config:set auth.socialite.redirect false
lnms config:set auth.socialite.register true
lnms config:set auth.socialite.configs.saml2.acs https://login.microsoftonline.com/fa5f.../saml2
lnms config:set auth.socialite.configs.saml2.entityid https://sts.windows.net/fa5f.../
lnms config:set auth.socialite.configs.saml2.certificate MIIC8DCCAdigAwIBAgIQVFaPBtRUSotGu7Cmxv+9+DANBgkrOPs...
lnms config:set auth.socialite.configs.saml2.listener "\SocialiteProviders\Saml2\Saml2ExtendSocialite"
lnms config:set auth.socialite.configs.saml2.metadata https://login.microsoftonline.com/fa5f.../federationmetadata/2007-06/federationmetadata.xml?appid=8451...
lnms config:set auth.socialite.configs.saml2.sp_default_binding_method urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
lnms config:clear
Thats how it works for me
HTH
Steve
Hi,
Thanks for the reply and guidance!
Just as I wrote the post, I noticed the certificate section in the metadata and was able to obtain the string from there and that made progress.
Unfortunately, only to the point:
I’ve checked the entityID and acs are matching with Azure. It fails despite and I cannot see the https://librenms-***-dev.com/auth/saml2 part set anywhere (checked .env, socialite settings, config:get auth.socialite also returns no such information on where is it stored, nor the database config table.
I think it is calling the wrong URI for some reason or is rejected by Azure.
Best regards
