SAML Login via e-mail address using mod_mellon and Azure

Moderator: crythias

Locked
Charburner
Znuny newbie
Posts: 32
Joined: 06 Aug 2021, 12:13
Znuny Version: 6.2.2
Real Name: Jens

SAML Login via e-mail address using mod_mellon and Azure

Post by Charburner »

Hello everyone, I need help with the correct setup of single sign-on via Azure SAML.

There are customer users in the local database on our Znuny 6 LTS server with a user name like "company_lastname" and a stored e-mail address.
With SAML, it should no longer be possible to log in with the user name, but only with the e-mail address as this is the unique identifier in Azure.

Is it even possible for Znuny to allow a customer user to log in via SAML with their e-mail address + password instead of username + password? If not, this would mean that the user name would have to be changed to the e-mail address for all customer users, right?

So far I have configured the Apache module mod_mellon so that the customer web interface under /customer.pl redirects to Microsoft correctly. If a customer user now tries to log in, a message appears "Authentication succeeded, but no customer record is found in the customer backend. Please contact the administrator."

Otherwise, could this just be a mapping problem?

Thanks in advance

Code: Select all

/etc/httpd/conf.d/auth_mellon.conf

Code: Select all

<Location />
    MellonEnable "info"
    MellonEndpointPath "/mellon"
    MellonSPMetadataFile "/etc/httpd/mellon/mellon_metadata.xml"
    MellonSPPrivateKeyFile /etc/httpd/mellon/mellon.key
    MellonSPCertFile /etc/httpd/mellon/mellon.crt
    MellonIdPMetadataFile /etc/httpd/mellon/idp_metadata.xml
</Location>

<LocationMatch /customer.pl>
    AuthType Mellon
    MellonEnable auth
    Require valid-user

    MellonDecoder "none"
    MellonVariable "cookie"
    MellonSecureCookie On
    MellonUser "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
</LocationMatch>
Top
root
Administrator
Posts: 4249
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:
Contact root

Re: SAML Login via e-mail address using mod_mellon and Azure

Post by root »

Hi,

The value of MellonUser (the email address) needs to be the email address. With SAML, no password is required for Znuny; it is only required for the Azure login. Znuny trusts the result of the mod_auth_mellon authentication. Your job is to make sure that the login field of the customer users matches the SAML username.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Top
Charburner
Znuny newbie
Posts: 32
Joined: 06 Aug 2021, 12:13
Znuny Version: 6.2.2
Real Name: Jens

Re: SAML Login via e-mail address using mod_mellon and Azure

Post by Charburner »

Thank you, I understand your answer to mean that I actually need to change the username stored in the local Znuny database for all customer users to the associated email address as it is stored in Azure.

As an alternative, is there a "relatively" simple way to customize the Perl code for the CustomerAuth so that the "email" field is compared at database level in the customer_user table instead of the "login" field?

Best regards
Top
skullz
Znuny superhero
Posts: 658
Joined: 24 Feb 2012, 03:58
Znuny Version: LTS and Features
Real Name: Mo Azfar
Location: Kuala Lumpur, MY
Contact:
Contact skullz

Re: SAML Login via e-mail address using mod_mellon and Azure

Post by skullz »

maybe check this regex https://github.com/znuny/Znuny/blob/8ad ... s.pm#L1422
My Github
OTRS CE/LTS Discord Channel
Cant Update Package Anymore ? Check This

Professional OTRS, Znuny & OTOBO services: efflux.de/en
Free and premium add-ons: English
Top
Locked

Return to “Help”