OpenProject OmniAuth SAML Single-Sign On Integration

Question

I am try to set up the SSO(Single Sign-On) integration with OpenProject using the OpenProject OmniAuth SAML Single-Sign On plugin. I have configured it with the relevant details. Generated the metadata and registered it with the IDP that is powered by Shibboleth. The plugin does show an additional login button on the openproject login form. Clicking it is properly redirecting to the IDP's login page. After giving the credentials, it is correctly redirecting to the AssertionConsumerService URL I have mentioned. It is of the form https://example.com/openproject/auth/saml/callback. But the page is showing a bad request error. Debugging the file app/controllers/concerns/omniauth_login.rb showed that, inside the omniauth_login function, the following lines of code is resulting in the 400 error.

auth_hash = request.env['omniauth.auth']

return render_400 unless auth_hash.valid?

The value of auth_hash looks to be empty. Could this be an issue due to attribute mapping or something else? I am coming from PHP bacnkground and have no experience in ruby on rails. So finding it difficult to debug the issue. I have tried googling a lot but couldn't find anything useful.

Any help is greatly appreciated.

Thanks

Answer 1

replace the following code

uid { @name_id }

with the following code

  uid do
        if options.uid_attribute
          ret = find_attribute_by([options.uid_attribute])
          if ret.nil?
            raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing '#{options.uid_attribute}' attribute")
          end
          ret
        else
          @name_id
        end
      end

inside the

strategies/saml.rb

file. It is inside the def other_phase function

For reference please have a look into the following github link https://github.com/omniauth/omniauth-saml/blob/master/lib/omniauth/strategies/saml.rb line number 90