Hi,
So Lasso doesn't appear to parse the 'Name ID' from Azure. I added the
following rudimentary debugging to SAMLSource.pm:
[admin@packetfence2 logs]# diff -uNr
/usr/local/pf/lib/pf/Authentication/Source/SAMLSource.pm.backup
/usr/local/pf/lib/pf/Authentication/Source/SAMLSource.pm
--- /usr/local/pf/lib/pf/Authentication/Source/SAMLSource.pm.backup
2021-04-14 18:02:43.000000000 +0200
+++ /usr/local/pf/lib/pf/Authentication/Source/SAMLSource.pm 2021-06-27
07:35:29.685552235 +0200
@@ -179,7 +179,9 @@
my @attribute_list = $assertion->AttributeStatement->Attribute;
my $username;
+my $temp17;
foreach my $attribute (@attribute_list){
+$temp17 = "$temp17" . $attribute->Name . ":" .
$attribute->AttributeValue->any->content . "<br>";
if($attribute->Name eq $self->username_attribute){
$username = $attribute->AttributeValue->any->content;
last;
@@ -190,7 +192,8 @@
return ($username, "Authentication successful with username :
$username");
}
else {
- return ($FALSE, "Can't find username in SAML response.")
+return ($FALSE, "$temp17")
+# return ($FALSE, "Can't find username in SAML response.")
}
};
if($@){
This then provides the list of attribute names and values that I can then debug
with:
http://schemas.microsoft.com/identity/claims/tenantid:2a6befed-184a-41ba-8ad6-0980f8ae3885<br>
http://schemas.microsoft.com/identity/claims/objectidentifier:139350bd-8242-48c7-b5d0-4a351fe1782a<br>
http://schemas.microsoft.com/identity/claims/displayname:Joe Doe<br>
http://schemas.microsoft.com/identity/claims/identityprovider:https://sts.windows.net/afc2f870-1eaf-4192-8ff8-cdba06632214/<br>
http://schemas.microsoft.com/claims/authnmethodsreferences:http://schemas.microsoft.com/claims/multipleauthn<br>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname:Joe<br>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname:Doe<br>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress:[email protected]<br>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:[email protected]<br>
When I then restored the required claim in the Azure app SAML settings back to
defaults and instead added an additional claim containing the
onpremisesuserprincipalname I got it working. Herewith the additional claim I
added:
Name
:
onpremisesuserprincipalname
Namespace
:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims
Source
:
attribute
Source attribute
:
user.onpremisesuserprincipalname
I had to edit /usr/local/pf/conf/authentication.conf manually to set the
user_attribute:
[syrexad_azure_users]
description=Company Azure AD - Users
sp_entity_id=https://pf.company.com
username_attribute=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/onpremisesuserprincipalname
set_access_durations_action=
type=SAML
sp_key_path=/usr/local/pf/conf/ssl/azuread-client.key
sp_cert_path=/usr/local/pf/conf/ssl/azuread-client.pem
authorization_source_id=companyad_users
idp_ca_cert_path=/usr/local/pf/conf/ssl/azuread-company-idp.crt
idp_entity_id=https://sts.windows.net/afc2f870-1eaf-4192-8ff8-cdba06632214/
idp_metadata_path=/usr/local/pf/conf/saml-azuread-metadata.xml
idp_cert_path=/usr/local/pf/conf/ssl/azuread-company-idp.crt
Regards
David Herselman
From: David Herselman
Sent: Saturday, 26 June 2021 10:59 AM
To: [email protected]
Subject: Azure AD - MFA at registration
Hi,
I would like to use SAML authentication on the captive portal to allow staff to
register via MFA. From my understanding I need to obtain the username in a
format that I can look up in the AD user authentication source.
The default username attribute in Packet Fence is
'urn:oid:0.9.2342.19200300.100.1.1' but this doesn't work when I set Azure to
return the on-premises AD account name.
My Google-Foo appears to be failing me, in finding a reference what I should
set in PF for 'user.onpremisessamaccountname'.
I found references in an alternative format, such as:
'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName' but I
don't even appear to be able to type anything in to the UI interface:
[cid:[email protected]]
When I click anywhere else it again displays the default...
Any idea?
The default Azure AD Single Sign-On SAML reply token is as follows:
In this Azure tenant the email address would be something like
'[email protected]'
[cid:[email protected]]
I subsequently changed the Name identifier format to 'Windows domain qualified
name' and the source attribute to 'user.onpermisessamaccountname':
In this Azure tenant the sAMAccountName would be something like 'joe.doe'
[cid:[email protected]]
Herewith speed notes on what we did:
Azure AD
AzureAD Tenant Name (eg 'Company') \ Enterprise applications
New application
Create your own application
Name : PacketFence
Option: Integrate any other application you don't find in the
gallery (Non-gallery)
Manage
Properties
Visible to users? : No
Users and groups
Add group : eg 'Company
staff member'
Single sign-on
SAML
SAML Signing Certificate
Retrieve Certificate (Base64) : Save as
/usr/local/pf/conf/ssl/azuread-company-idp.crt
Retrieve XML : Save as
/usr/local/pf/conf/saml-azuread-metadata.xml
Basic SAML Configuration
Identifier (Entity ID) :
https://pf.company.com
Reply URL (Assertion Consumer Service URL) :
https://pf.company.com/saml/assertion
Create private key and certificate (for PacketFence as an Azure AD client):
cd /usr/local/pf/conf/ssl;
openssl req -x509 -newkey rsa:4096 -keyout azuread-client.key -out
azuread-client.pem -days 1825 -nodes;
# Common Name (e.g. server FQDN or YOUR name) [] : pf.company.com
chown pf.pf azuread-*;
chmod 664 azure*;
Azure AD
AzureAD Tenant Name (eg 'Company') \ Enterprise applications
PacketFence
Security
Token encryption
Import Certificate (/usr/local/pf/conf/ssl/azuread-client.pem)
Select imported certificate, then 'Activate token encryption'
PacketFence \ Configuration \ Policies and Access Control \ Authentication
Sources
New internal source - SAML
Name :
companyad_azure_users
Description : Company Azure
AD - Users
Service Provider entity ID :
https://pf.company.com
Path to Service Provider key (x509) :
/usr/local/pf/conf/ssl/azuread-client.key
Path to Service Provider cert (x509) :
/usr/local/pf/conf/ssl/azuread-client.pem
Identity Provider entity ID :
https://sts.windows.net/afc2f870-1eaf-4192-8ff8-cdba06632214/ # Random
documentation UUID, not real
Path to Identity Provider metadata :
/usr/local/pf/conf/saml-azuread-metadata.xml
Path to Identity Provider cert (x509) :
/usr/local/pf/conf/ssl/azuread-company-idp.crt
Path to Identity Provider CA cert (x509) :
/usr/local/pf/conf/ssl/azuread-company-idp.crt
Username Attribute :
urn:oid:0.9.2342.19200300.100.1.1
Authorization source :
companyad_users
View Service Provider Metadata
entityID : https://pf.company.com # This is where
the information for the Basic SAML 'Identifier' comes from
AssertionURL : https://pf.company.com/saml/assertion # This is where
the information for the Basic SAML 'Reply URL' comes from
Packet Fence \ Configuration \ Network Configuration \ Networks \ Fencing
Passthrough Domains:
aadcdn.msauth.net,aadcdn.msftauth.net,in.appcenter.ms,login.live.com,login.microsoftonline.com,login.windows.net,mobileappcommunicator.auth.microsoft.com,sts.windows.net
Regards
David Herselman
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
