Univention Bugzilla – Bug 34670
Transmitting LDAP attributes via SAML fails and login is denied
Last modified: 2023-03-25 06:41:06 CET
At Ticket #2014031921009001 it was reported that the SimpleSAMLPhp produces the following error message and denies any login when an attribute was registered to be transmitted via SAML. The attribute was defined using UMC. If the attribute is set through the UCR variable saml/idp/ldap/get_attributes, this error message doesn't occur and the login works fine. SimpleSAML_Error_Exception: Error 2 - in_array() expects parameter 2 to be array, string given Backtrace: 11 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler) 10 [builtin] (in_array) 9 /usr/share/simplesamlphp/modules/core/lib/Auth/Process/AttributeLimit.php:100 (sspmod_core_Auth_Process_AttributeLimit::process) 8 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:195 (SimpleSAML_Auth_ProcessingChain::processState) 7 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:310 (SimpleSAML_IdP::postAuth) 6 [builtin] (call_user_func) 5 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Default.php:126 (SimpleSAML_Auth_Default::loginCompleted) 4 [builtin] (call_user_func) 3 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:140 (SimpleSAML_Auth_Source::completeAuth) 2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:223 (sspmod_core_Auth_UserPassBase::handleLogin) 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:63 (require) 0 /usr/share/simplesamlphp/www/module.php:135 (N/A)
I investigated this issue further. Here are my results. 1. Attribute set to be transmitted via UMC The "attributes" key that's added to the SP's metadata should first of all be in the form of an array by definition, but it is a string ('attributes' => array('uid', 'mailPrimaryAddress', 'cn'), instaed of 'attributes' => 'uid,mailPrimaryAddress,cn', see also https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote). I wasn't able to get this to work either. Instead extending authproc with a core:AttributeLimit filter is what worked and it also seems to be the way to go in general (see https://simplesamlphp.org/docs/stable/core:authproc_attributelimit): 70 => array( 'class' => 'core:AttributeLimit', 'uid', 'cn', 'mailPrimaryAddress', ) Here is the whole authproc entry: 'authproc' => array( 60 => array( 'class' => 'authorize:Authorize', 'regex' => FALSE, 'enabledServiceProviderIdentifier' => array('SAMLServiceProviderIdentifier=...'), ), 70 => array( 'class' => 'core:AttributeLimit', 'uid', 'cn', 'mailPrimaryAddress', ) ) This allows the administrator to limit the transmitted attributes to exactly what has been specified. If this AttributeLimit is not in place, _all_ attributes that were queried from LDAP, are transmitted to the SP. 2. Attributes queried from LDAP UCR variable saml/idp/ldap/get_attributes contains PHP code. I guess I made mistake setting the variable forgetting the proper quoting. I'd suggest to change the variable to a simple list of comma separated values that the UCR templates extracts and formats the proper way.
Concerning the UCR variable - tab completion of the variable removes the qoutes, btw. This easily breaks the configuration.
I fixed this at Bug #38927. *** This bug has been marked as a duplicate of bug 38927 ***
Verified duplicate Works in current UCS 4.1 development version