Reply
New Contributor
Posts: 2
Registered: ‎05-24-2017

Hue SSO integration in PingFederate (SAML2.0)

I try to integrate Hue 3.9 in a single signon environment with PingFederate (https://www.pingidentity.com/) which uses SAML 2.0.

Although after authentication on PingFederate side the userid (myuser) is sent to Hue it is not used by Hue.

In the debug output of Hue I have:

[23/May/2017 18:32:12 +0200] response     DEBUG    conditions: <?xml version='1.0' encoding='UTF-8'?>
<saml:Conditions NotBefore="2017-05-23T16:27:08.383Z" NotOnOrAfter="2017-05-23T16:37:08.383Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><
saml:AudienceRestriction><saml:Audience>saml20.huetest.com</saml:Audience></saml:AudienceRestriction></saml:Conditions>
[23/May/2017 18:32:12 +0200] response     DEBUG    --- Getting Identity ---
[23/May/2017 18:32:12 +0200] response     INFO     Subject NameID: <?xml version='1.0' encoding='UTF-8'?>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">myuser</saml:NameI
D>
[23/May/2017 18:32:12 +0200] response     DEBUG    Attribute Statement: <?xml version='1.0' encoding='UTF-8'?>
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:att
rname-format:basic"><saml:AttributeValue ns1:type="xs:string" xmlns:ns1="http://www.w3.org/2001/XMLSchema-instance">myuser</saml:AttributeValue><
/saml:Attribute></saml:AttributeStatement>
[23/May/2017 18:32:12 +0200] attribute_converter DEBUG    {'urn:oasis:names:tc:SAML:2.0:attrname-format:uri': <saml2.attribute_converter.Attribute
Converter object at 0x43123d0>}
[23/May/2017 18:32:12 +0200] attribute_converter INFO     Unsupported attribute name format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic
[23/May/2017 18:32:12 +0200] response     ERROR    Missing Attribute Statement
[23/May/2017 18:32:12 +0200] response     DEBUG    --- AVA: {}
[23/May/2017 18:32:12 +0200] client_base  INFO     --- ADDED person info ----
[23/May/2017 18:32:12 +0200] views        DEBUG    Trying to authenticate the user
[23/May/2017 18:32:12 +0200] backends     ERROR    The attributes dictionary is empty
[23/May/2017 18:32:12 +0200] backends     DEBUG    attributes: {}
[23/May/2017 18:32:12 +0200] backends     DEBUG    attribute_mapping: {'uid': ('username',)}
[23/May/2017 18:32:12 +0200] backends     ERROR    Could not find saml_user value
[23/May/2017 18:32:12 +0200] views        ERROR    The user is None

The problem seems to be "Unsupported attribute name format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic" although in pysaml it is in saml2/attributemaps/basic.py.  The DEBUG output {'urn:oasis:names:tc:SAML:2.0:attrname-format:uri': <saml2.attribute_converter.Attribute
Converter object at 0x43123d0>} was inserted by me, which is the value of acsd in function "to_local" in saml2/attribute_converter.py which seems to be the real used attribute scheme.

 

Is there any configuration parameter for libsaml which I missed?

 

My libsaml configuration is:

 

[libsaml]
xmlsec_binary=/usr/local/xmlsec1/1.2.24/bin/xmlsec1
create_users_on_login=true
metadata_file=/usr/local/hue/desktop/conf/metadata.xml
key_file=/usr/local/hue/desktop/conf/server.key
cert_file=/usr/local/hue/desktop/conf/server.crt.pem
logout_requests_signed=true

Thank you in advance for any help,

Michael.

Posts: 642
Topics: 3
Kudos: 120
Solutions: 67
Registered: ‎08-16-2016

Re: Hue SSO integration in PingFederate (SAML2.0)

You don't ahve any user_attribute_mapping or username_source. I don't know the defaults.

This seems to be the default mappings in place.

attribute_mapping: {'uid': ('username',)}

Anyway, the field passed with the username is NameID with the value of myuser but it is looking for the field saml_user which doesn't exist.

Try setting username_source to nameid and maybe the format.

https://www.cloudera.com/documentation/enterprise/5-8-x/topics/cdh_sg_hue_saml.html

username_source=nameid
name_id_format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
New Contributor
Posts: 2
Registered: ‎05-24-2017

Re: Hue SSO integration in PingFederate (SAML2.0)

username_source=nameid and different variants of name_id_format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" didn't help.

 

I changed desktop/libs/libsaml/attribute-maps/SAML2.py to

 

MAP = {
    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
    'fro': {
        'uid': 'uid',
    },
    'to': {
        'uid': 'uid',
    }
}

Now I can successfully login.

Highlighted
Posts: 1,035
Topics: 1
Kudos: 258
Solutions: 128
Registered: ‎04-22-2014

Re: Hue SSO integration in PingFederate (SAML2.0)

@MichaelMH,

 

I am glad that you were able to figure out how to get the pysaml2 mapping to work.  By default, Hue's implementation expects the NameFormat of uid to be "urn:oasis:names:tc:SAML:2.0:attrname-format:uri" I believe.  Shibboleth uses that by default but others do not.  Since the problem was at the attribute level, changes to the nameid format will not have any impact in this case (as was demonstrated in your testing)

Thanks for sharing the solution!

 

Ben