Help: Custom claims for ADFS attribute mapping #124
Comments
|
hi @rjapayne, Go to this page: /auth/saml2/test.php It will do an raw saml auth without moodle in the loop and return a dump of what attributes it gets back from the IdP. Then you can see exactly what key you need to use, it's probably been mapped to a more human readable key name like 'userPrincipalName' |
|
What I got back was (actual email and name removed):
That means it should be "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" right? Thanks for the quick response, |
|
Yes, thats correct. So this is just a validation thing on the key name by the looks of it. What version of moodle you on? And are you trying to map this to a user profile field or the idpattr admin setting? |
|
If you are on moodle 3.3 try doing a quick hack of this file and see if it solves the issue: diff --git a/settings.php b/settings.php
index fd18bcc..e793043 100644
--- a/settings.php
+++ b/settings.php
@@ -127,7 +127,7 @@ if ($ADMIN->fulltree) {
'auth_saml2/idpattr',
get_string('idpattr', 'auth_saml2'),
get_string('idpattr_help', 'auth_saml2'),
- '', PARAM_ALPHANUMEXT));
+ '', PARAM_RAW));
// Moodle Field.
$fields = array( |
|
We're on Moodle 3.3. |
|
It works! We have a working login now for SAML2 profiles on Moodle. |
|
Which exact setting? Got a screen shot? It should be a 1 liner once you track it down. The only potential hitch could be if it is inside the field mappings which is added by core and not this plugin. If that is the case then it will be a moodle core change. Alternatively you could reconfigure ADFS to send a simplified or mapped field key name instead |
|
The fields we are trying to map are first name, surname and email address. I've seen people use the urls in the forums on previous versions of the plugin so I think it's something that's changed in the recent versions?
|
|
Yeah that is going to be a core change here: https://github.com/moodle/moodle/blob/master/lib/authlib.php#L1038 If you feel inclined you could log this in the core tracker and provide a patch for that. It's probably still more pragmatic to reconfigure adfs to just return 'emailaddress' as the key instead of the full schema string |
|
Hi Brendan, Thanks for that. I'll go back the guy that is responsible for our ADFS and see if he can do that then. He seemed to think he couldn't do it that way before. Cheers, |
|
@rjapayne another perhaps better alternative is that this plugin re-maps all the schema's to nicer simple strings before using them. Simplesamlphp supports a bunch of mappings, but this plugin needs to be told to use them. I think the mappng you want is this one: But this plugin is hard coded to use the 'oid2name' mapping here: https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_33PLUS/config/config.php#L83 So you can try just changing that. It would also be nicer if that got turned into an admin setting in this plugin so pull requests welcome if you feel up to that. |
|
Thanks @brendanheywood. Issues now appear resolved after creating some custom claims rules for attribute mapping. Rule looks something like this;
As opposed to what we were using before;
Thanks. |
brendanheywood
changed the title
|
Great stuff, I've renamed this issue to help others having the same issue and I'll close this |
|
FYI I've just raised a tracker to fix this in core and will supply a patch shortly. Any watchers please feel free to go vote for that: |
We're trying to set up the SAML2 plugin's idp attribute mapping but it doesn't seem to be accepting inputs like "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn". The form won't submit and it says "This value is not valid".
A bit confused as I've been reading forums and other cases of people using this plugin and this seems to be what other people have entered.
Is this the wrong thing to do?
The text was updated successfully, but these errors were encountered: