According the documentation this version should support SAML2 authentication. However, I did not find any guide or examples that would help establishing it.

After digging a little bit I tried to configure the system with the following parameters

Then I tried to get the SP-metadata from URL http://host:port/cmdbuild/services/saml/metadata.

Before the above configuration it gave me the “saml service is not active” error, but after it, all I got was a blank page and no errors on the logs or on screen.

I would appreciate any advice to get this working

Regards,
Vesa

Hello Vesa,

I have found, looking at the available config parameters using system config API, that it seems the parameter names include ‘module’ in their name.
For example:

Blockquote
org.cmdbuild.auth.module.saml.enabled

Yo can try changing the parameters you are configuring now to include “module”. before saml property (sorry I have never tested SAML so I can’t be sure it will work).

Please, let me know if this has helped you.

Following you can find the configuration parameters related to SAML obtained from system config API:

Blockquote
“org.cmdbuild.auth.module.saml.description”
“org.cmdbuild.auth.module.saml.enabled”
“org.cmdbuild.auth.module.saml.handlerScript”
“org.cmdbuild.auth.module.saml.hidden”
“org.cmdbuild.auth.module.saml.icon”
“org.cmdbuild.auth.module.saml.idp.cert”
“org.cmdbuild.auth.module.saml.idp.id”
“org.cmdbuild.auth.module.saml.idp.login”
“org.cmdbuild.auth.module.saml.idp.logout”
“org.cmdbuild.auth.module.saml.logout.enabled”
“org.cmdbuild.auth.module.saml.requireSignedAssertions”
“org.cmdbuild.auth.module.saml.requireSignedMessages”
“org.cmdbuild.auth.module.saml.signatureAlgorithm”
“org.cmdbuild.auth.module.saml.sp.baseUrl”
“org.cmdbuild.auth.module.saml.sp.cert”
“org.cmdbuild.auth.module.saml.sp.id”
“org.cmdbuild.auth.module.saml.sp.key”
“org.cmdbuild.auth.modules”

Regards,
Victor

Did you happen to get this working?
or anyone get SAML auth to work?
the manuals are very lacking details

thanks,
Sean

Thanks for the tip Victor. I tried also with the naming convention suggested by you. Unfortunately I did not get any further.

Obviously there is still something missing or wrongly set. Authentication settings still looks like this. I’m wondering what would be the correct values for “org.cmdbuild.auth.modules” (?).

login page shows a login with saml now too! that wasnt there before
i was aseeing what module values it would take so showing them all

Hi Vesa,
I may have found something. I use the editconfig (/cmdbuild.sh restws editconfig)to set values and decided to try adding saml to the login modules variable I saw there.
org.cmdbuild.auth.modules=default,saml
NOTE: oauth saml, cas, and default seem to be accepted values for .auth.modules

It shows up in the web gui now under login modules not auth modules. I’ll try filling in the rest of the saml config and see how it goes.

I have ldaps working already but its config values looks to not be under a login module type.
I also have the auth methods set to the following(The order determines what will be tried first according to the notes)
org.cmdbuild.auth.methods=SamlAuthenticator,LdapAuthenticator,DBAuthenticator

Thank you Sean!
I got it working now. For some reason I had the modules parameter value written in mixed case (Default,SAML) and changing them to lowercase did the trick.
After creating a demouser on CMDBuild I was able to login with Keycloak & SAML.
And thanks to Victor for pointing out the correct naming convention

Awesome! I just got mine working now too!!!

It only took searching through the source code, reading through the editconfig, watching the cmdbuild_req logs, decoding the SAML response in browser dev mode, and piecing together forum posts. This post helped the most btw thanks =)

My last issue was the handlerscript variable. I left it default didnt know what it was for. I was getting auth null value failures in the request logs after my identity provider (duo) was sending the response back.
Just changed it from the default oid value to what I was getting back in the SAML response ‘samAccountName’ and I am in!

org.cmdbuild.auth.module.saml.handlerScript=login = auth.getAttribute('SamAccountName')

My setup uses DUO authenticator which we had an account for already so I have MFA enabled on our cmdbuild test.

For anyone else that comes along this post here is a top level view of the parts to get DUO MFA working through SAML to cmdbuild.

• Secured our tomcat and cmdbuild instances with a LetsEncrypt certificate to use https.
• Installed a Duo Authentication proxy on a server on-prem that talks to our AD.
• In Duo portal added a new Generic Application SSO protection for our cmdbuild. With the following needed info discovered from cmdb
  • Service Provider Entity ID = [MATCH WHAT YOU SET IN CMDBUILD CONFIG, I JUST USED BASE URL]
  • ACS URL = [YOUR CMDB BASE URL]/services/saml/SSO
  • (optional) Logout URL = [YOUR CMDB BASE URL]/services/saml/SingleLogout
  • (optional) Login URL = [YOUR CMDB BASE URL]/services/saml/Login
  • SAML NameID Format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • SAML Response Name ID Attribute = <‘Username’>
  • SAML Response Mapping iDP <‘Username’> to SamAccountName
• CMDBuild created user accounts with matching user names to our ad accounts samAccountName. Set a generic strong password that will not be used, your saml identity provider will be checking against the actual source.
• CMDBuild editconfig. With the base variable of org.cmdbuild.auth.module.saml.* Unless noted otherwise:
  • .sp.baseUrl = [YOURBASE URL]
  • .idp.cert = [CERT PROVIDED FROM DUO]
  • .idp.id = [PROVIDED FROM DUO]/metadata
  • .idp.logout = [PROVIDED FROM DUO]/slo
  • .idp.login = [PROVIDED FROM DUO]/sso
  • .sp.id = [MATCH THIS TO USE IN DUO CONFIG, I JUST USED BASE URL]
  • .sp.cert = [CMDB HTTPS CERT]
  • .sp.key = [CMDB HTTPS PRIVATE KEY]
  • .logout.enable = true
  • .handlerscript = login = auth.getAttribute(‘SamAccountName’) #[Match attribute name that is sent in SAML response]
  • org.cmdbuld.auth.methods = SamlAuthenticator, DBAuthenticator
  • org.cmdbuild.auth.modules = default, saml
• Restart tomcat service after changes
• load login page and try the new login with saml button. (doesnt use the default login web form. Seems like critical info the manual should have)
• Get redirected to your custom duo Generic SSO App Protection created above
  • Enter your AD login UPN that matches an already created account in CMDB
  • login new users have to enroll MFA
  • Approve your MFA option
• Get redirected back to your CMDB and your in if everything lines up

Thanks,

Sean

Hi vesa/anyone

If you don’t mind, could you please share correct config values for keycloak and saml integration. I m not able to find the correct configuration. Please help me on this.

If you could help me with oauth keycloak config also fine.

To avoid confusion with OP.

SAML and OAuth seems to work with 3.3.1, but this was announced in 3.3.2 only, so I assume this might be experimental.
I’ve just tested SAML in my dev environment and it seems to work perfectly. The only difference is configuration parameters you set are applied without ‘module’ keyword:

org.cmdbuild.auth.methods
org.cmdbuild.auth.saml.sp.id
org.cmdbuild.auth.saml.sp.baseUrl
org.cmdbuild.auth.saml.idp.id
org.cmdbuild.auth.saml.idp.cert
org.cmdbuild.auth.saml.idp.login
org.cmdbuild.auth.saml.idp.logout
org.cmdbuild.auth.saml.handlerScript
org.cmdbuild.auth.saml.logout.enabled
org.cmdbuild.auth.saml.signatureAlgorithm
org.cmdbuild.auth.saml.requireSignedAssertions

This has been changed to org.cmdbuild.auth.module.saml.* in 3.3.2+ versions.

Hi, I’m also trying to implement this. Can someone please share with me the procedure how to do this with azure SAML??