authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Sources broken on identificationStage

Open ManuelLR opened this issue 1 year ago • 0 comments

Describe the bug I have found several problems with authentik_stages_identification.identificationstage:

  1. Looks like it is now mandatory to define at least one user_field, but it shouldn't be because I want to allow only SAML source login and that was working on 2024.6.4. This is replicable via web interface.

  2. In the web interface, on the sources section, I wasn't able to select the desired source.

To Reproduce Steps to reproduce the behavior:

1. Import the SAML source provider as a blueprint 
# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
  labels:
    carto/defaults: 'true'
    blueprints.goauthentik.io/instantiate: 'true'
    blueprints.goauthentik.io/description: |
      This blueprint will create SAML Source.
  name: Issue - SAML Source
entries:
  ## Dependencies
  - model: authentik_blueprints.metaapplyblueprint
    attrs:
      identifiers:
        name: Default - Source pre-authentication flow
      required: true
  - model: authentik_blueprints.metaapplyblueprint
    attrs:
      identifiers:
        name: Default - Source enrollment flow
      required: true

  ## SAML source
  - model: authentik_sources_saml.samlsource
    attrs:
      enrollment_flow: !Find [authentik_flows.flow, [slug, "default-source-enrollment"]]
      binding_type: REDIRECT
      digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
      enabled: true
      group_matching_mode: name_link
      issuer: https://mocksaml.com/api/saml/metadata
      name: SAML Source
      name_id_policy: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      policy_engine_mode: any
      pre_authentication_flow: !Find [authentik_flows.flow, [slug, "default-source-pre-authentication"]]
      signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
      slug: saml-source
      sso_url: https://mocksaml.com/api/saml/sso
      temporary_user_delete_after: days=1
      user_matching_mode: identifier
      user_path_template: goauthentik.io/sources/saml/%(slug)s
    conditions: []
    identifiers:
      slug: saml-source
    permissions: []
    state: present
2. Create a flow

image

3. Add the identification stage

image image

4. No sources selectables

image

5. Error trying to save without sources

I couldn't select any source and obviously I wouldn't like to add a field

image

6. If I save the flow adding an user_field, I can save the flow but the SAML source is not showed

image

Now if we try to import the flow with blueprints:

A. Specifying the source and the user_fields
     > Blueprint 
# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
  labels:
    carto/defaults: 'true'
    blueprints.goauthentik.io/instantiate: 'true'
    blueprints.goauthentik.io/description: |
      This blueprint will create SAML Auth Flow.
  name: Issue - SAML Auth Flow (Source with user_fields)
entries:
  ## Dependencies
  - model: authentik_blueprints.metaapplyblueprint
    attrs:
      identifiers:
        name: Default - Source enrollment flow
      required: true
  - model: authentik_blueprints.metaapplyblueprint
    attrs:
      identifiers:
        name: Issue - SAML Source
      required: true

  ## SAML Auth Flow
  - model: authentik_flows.flow
    id: saml-auth-flow
    attrs:
      name: SAML Auth Flow With User Fields
      slug: saml-auth-flow-with-user-fields
      title: SAML Auth Flow With User Fields
      authentication: none
      denied_action: message_continue
      designation: authentication
      layout: content_left
      policy_engine_mode: any
    conditions: []
    identifiers:
      slug: saml-auth-flow-with-user-fields
    permissions: []
    state: present

  - model: authentik_stages_identification.identificationstage
    id: saml-flow-identification-stage
    attrs:
      case_insensitive_matching: false
      # enrollment_flow: !Find [authentik_flows.flow, [slug, "default-source-enrollment"]]
      name: SSO Login (with user fields)
      show_matched_user: false
      show_source_labels: true
      sources:
        - !Find [authentik_sources_saml.samlsource, [slug, "saml-source"]]
      user_fields:
        - username
    conditions: []
    identifiers:
      name: SSO Login (with user fields)
    permissions: []
    state: present
  - model: authentik_flows.flowstagebinding
    attrs:
      invalid_response_action: retry
      order: 0
      policy_engine_mode: any
      re_evaluate_policies: true
    conditions: []
    identifiers:
      stage: !KeyOf saml-flow-identification-stage
      target: !KeyOf saml-auth-flow
    permissions: []
    state: present
     > Result
  • The blueprint & flow could be created.
  • Source is not visible on the Web UI: image
  • But is enable/usable in the flow: image
B. Specifying the source without user_fields
     > Blueprint 
# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
version: 1
metadata:
  labels:
    carto/defaults: 'true'
    blueprints.goauthentik.io/instantiate: 'true'
    blueprints.goauthentik.io/description: |
      This blueprint will create SAML Auth Flow.
  name: Issue - SAML Auth Flow (Source without user_fields)
entries:
  ## Dependencies
  - model: authentik_blueprints.metaapplyblueprint
    attrs:
      identifiers:
        name: Default - Source enrollment flow
      required: true
  - model: authentik_blueprints.metaapplyblueprint
    attrs:
      identifiers:
        name: Issue - SAML Source
      required: true

  ## SAML Auth Flow
  - model: authentik_flows.flow
    id: saml-auth-flow
    attrs:
      name: SAML Auth Flow Without User Fields
      slug: saml-auth-flow-without-user-fields
      title: SAML Auth Flow Without User Fields
      authentication: none
      denied_action: message_continue
      designation: authentication
      layout: content_left
      policy_engine_mode: any
    conditions: []
    identifiers:
      slug: saml-auth-flow-without-user-fields
    permissions: []
    state: present

  - model: authentik_stages_identification.identificationstage
    id: saml-flow-identification-stage
    attrs:
      case_insensitive_matching: false
      # enrollment_flow: !Find [authentik_flows.flow, [slug, "default-source-enrollment"]]
      name: SSO Login (without user fields)
      show_matched_user: false
      show_source_labels: true
      user_fields: []
      sources:
        - !Find [authentik_sources_saml.samlsource, [slug, "saml-source"]]
    conditions: []
    identifiers:
      name: SSO Login (without user fields)
    permissions: []
    state: present
  - model: authentik_flows.flowstagebinding
    attrs:
      invalid_response_action: retry
      order: 0
      policy_engine_mode: any
      re_evaluate_policies: true
    conditions: []
    identifiers:
      stage: !KeyOf saml-flow-identification-stage
      target: !KeyOf saml-auth-flow
    permissions: []
    state: present
     > Result
  • The blueprint & flow could be created.
  • Source is not visible on the Web UI: image

Expected behavior

  1. Be able to select the desired source during the flow creation on the web UI.
  2. Be able to only use "SAML source" without the requirement of define any user_field.
  3. Directly redirect to the SAML provider (as happen in previous version) without any manual action by the user (right now the should click on "SAML source" text to be redirected)

Logs No relevant logs was observed during the previous interactions

Version and Deployment:

  • authentik version: 2024.8.0-rc1
  • Deployment: docker-compose

ManuelLR avatar Aug 30 '24 11:08 ManuelLR