Invalid Credentials [ en.notice_account_invalid_creditentials ]

[SecurityInMind]

Hi,

We are experiencing some troubles with getting this plugin to work with our Redmine, below you can find related details:

Environment:
Redmine version 3.4.3.stable
Ruby version 2.2.5-p319 (2016-04-26) [x86_64-linux]
Rails version 4.2.8
Environment production
Database adapter Mysql2
SCM:
Subversion 1.6.11
Git 1.7.1
Filesystem
Redmine plugins:
redmine_omniauth_saml 0.0.1

Our saml.rb file

Redmine::OmniAuthSAML::Base.configure do |config|
config.saml = {
:assertion_consumer_service_url => "http://redmine.local/auth/saml/callback", # OmniAuth callback URL
:issuer => "http://redmine.local", # The issuer name / entity ID. Must be an URI as per SAML 2.0 spec.
:single_logout_service_url => "http://redmine.example.com/auth/saml/sls", # The SLS (logout) callback URL
:idp_sso_target_url => "https://redacted]/login.html", # SSO login endpoint
:idp_cert_fingerprint => "[redacted]", # SSO ssl certificate fingerprint
# Alternatively, specify the full certifiate:
#:idp_cert => "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
:signout_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php?ReturnTo=", # Optional signout URL, not supported by all identity providers
:idp_slo_target_url => "http://sso.example.com/saml2/idp/SingleLogoutService.php",
:name_identifier_value => "mail", # Which redmine field is used as name_identifier_value for SAML logout
:attribute_mapping => {
# How will we map attributes from SSO to redmine attributes
:login => 'extra.raw_info.username',
:mail => 'extra.raw_info.email',
:firstname => 'extra.raw_info.firstname',
:lastname => 'extra.raw_info.firstname'
}
}
config.on_login do |omniauth_hash, user|
# Implement any hook you want here
end
end

Here is the log:

9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==", "provider"=>"saml"}
(0.4ms) SELECT MAX(settings.updated_on) FROM settings
AnonymousUser Load (0.3ms) SELECT users.* FROM users WHERE users.type IN ('AnonymousUser') ORDER BY users.id ASC LIMIT 1
Current user: anonymous
EmailAddress Load (0.1ms) SELECT email_addresses.* FROM email_addresses WHERE email_addresses.address IS NULL LIMIT 1
Failed login for 'test@test.com' from [IP ADDRESS REDACTED] at 2017-11-14 15:39:49 UTC
Redirected to http://redmine.local/login
Completed 302 Found in 5ms (ActiveRecord: 0.9ms)

We will be waiting for your reply.

[nadz-goldman]

@SecurityInMind ,I didnt see any configuration from other side or explanation what is wrong, but here some cookies from me

Here working example

/redmine/config/initializers/90-saml.rb

Redmine::OmniAuthSAML::Base.configure do |config|
  config.saml = {
    :assertion_consumer_service_url => "https://redmine.local/auth/saml/callback",
    :issuer                         => "https://redmine.local/auth/saml/metadata",
    :single_logout_service_url      => "https://redmine.local/auth/saml/sls",
    :idp_sso_target_url             => "https://idp.somewhere/saml/saml2/idp/SSOService.php",
    :idp_cert_fingerprint           => "some-fingerprint",
    :signout_url                    => "https://idp.somewhere/saml/saml2/idp/SingleLogoutService.php?ReturnTo=",
    :idp_slo_target_url             => "https://idp.somewhere/saml/saml2/idp/SingleLogoutService.php",
    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    :name_identifier_value          => "login",
    :attribute_mapping              => {
      :login      => 'extra.raw_info.urn:mace:dir:attribute-def:eduPersonPrincipalName',
      :mail       => 'extra.raw_info.urn:mace:dir:attribute-def:mail',
      :firstname  => 'extra.raw_info.cn',
      :lastname   => 'extra.raw_info.sn'
    }
  }
  config.on_login do |omniauth_hash, user|
  end
end

On another side we using SimpleSAMLphp as IdP and here content of metadata of redmine ( which as SP )

$metadata['https://redmine.local/auth/saml/metadata'] = array (
  'entityid' => 'https://redmine.local/auth/saml/metadata',
  'contacts' =>
  array (
  ),
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://redmine.local/auth/saml/callback',
      'index' => 0,
      'isDefault' => true,
    ),
  ),
  'SingleLogoutService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://redmine.local/auth/saml/sls',
      'ResponseLocation' => 'https://redmine.local/auth/saml/sls',
    ),
  ),
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  'validate.authnrequest' => false,
  'saml20.sign.assertion' => true,

  'authproc' => array(
      1 => array(
        'class' => 'saml:AttributeNameID',
        'attribute' => 'eduPersonPrincipalName',
        'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
      ),
    ),
);

Because we using LDAP and ruEduORg scheme for eduGain, here we NOT mapping attributes on 'authproc' block but give attribute which can used as login
Its easy =)

Also you can use debug on Redmine-side.