snipe-it icon indicating copy to clipboard operation
snipe-it copied to clipboard
verified publisher icon snipe

SAML with Keycloak IdP - "Found an Attribute element with duplicated Name"

Open swiftbird07 opened this issue 2 years ago • 4 comments

Debug mode

Describe the bug

Hello, first of all: very nice project! Unfortunately I am struggling to enable SAML SSO using Keycloak. It will result in the following error messages in the laravel.log:

[2023-11-21 20:10:26] production.ERROR: Found an Attribute element with duplicated Name {"exception":"[object] (OneLogin\\Saml2\\ValidationError(code: 41): Found an Attribute element with duplicated Name at /var/www/html/vendor/onelogin/php-saml/src/Saml2/Response.php:819)
[stacktrace]
#0 /var/www/html/vendor/onelogin/php-saml/src/Saml2/Response.php(781): OneLogin\\Saml2
[...]

The Attributes of the SAML response look like this:

        <saml:AttributeStatement>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Realm Admin</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default-roles-myserver</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Portainer Access</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Wazuh Access</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kibana Access</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Reproduction steps

  1. Enable SAML in Admin Menu
  2. Upload the IdP config from Keycloak: https://auth.domain:8443/realms/PVE-Cloud/protocol/saml/descriptor
  3. Download Metadata from snipe
  4. Tick option for SAML Logout
  5. Save Config

In Keycloak:

  1. Clients > Import Client > Select the Metadata file from snipe-it
  2. Keys > Client signature required: False (no idea where to set this in snipe anyway)
  3. Roles > Add Client Scope > role_list

Before that I explicitly set the role_list mapper to "Single Role Attribute": True, as described in this fix, that apparently should fix this exact issue, except it doesn't work for me:

https://github.com/nextcloud/user_saml/issues/222#issuecomment-402542562

Try to login using SAML will redirect to Keycloak, and after the authentication it redirects to snipe but shows in a red "We couldn't log you in".

Digging in the logs of /var/www/html/storage/logs/laravel.log shows the above exception.

...

Expected behavior

Login with SAML works when using Keycloak.

Screenshots

No response

Snipe-IT Version

v6.2.3 build 11936 (gb47e734b3)

Operating System

Ubuntu / Docker

Web Server

N/A (Docker )

PHP Version

8.1.2-1ubuntu2.14

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

Error see above. I don't want to configure SAML with my info in the demo for security reasons.

Additional context

Docker installation.

swiftbird07 avatar Nov 21 '23 20:11 swiftbird07

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

welcome[bot] avatar Nov 21 '23 20:11 welcome[bot]

Are there any solutions available for this problem? I keep encountering the same error message when attempting to log in using SAML.

davidmkrtchian avatar Dec 06 '23 16:12 davidmkrtchian

This has to be fixed in Keycloak.

  • Go to Client Scoped.
  • Remove "role_list" (!)
  • Add "role list" under the "url-dedicated".
  • Select that "role list" and turn on 'Single Role Attribute"

Edit: ah, I see you already did that... Also removed the predefined "role_list"? If you still got the error, then you might have forgotten that.

Besides the role-list problem, I needed to select username instead of persistent for "Name ID format". Know that when there is nothing logged in laravel.log and you see a "We couldn't log you in", then the error is implicitly "user not found".

VincentSC avatar Dec 27 '23 20:12 VincentSC

We have this working in Keycloak. Try: Created a new Client for the Realm, using Client ID: https://yoursnipeit.example.com Valid Redirect URIs: https://yoursnipeit.example.com/* Assertion Consumer Service POST Binding URL: https://yoursnipeit.example.com/saml/acs Logout Service POST Binding URL: https://yoursnipeit.example.com/saml/sls Remove the role_list as said above. In Clients > Client details > Scopes, select the https://yoursnipeit.example.com-dedicated option Add X500 email, given name, surname: image

I may have missed something, but can provide more assistance if needed.

Relianco avatar Dec 28 '23 21:12 Relianco