SAML implementation

[MathisICDC]

Hello,

I am setting up SAML authentication with ADFS but I have two small problems.

When I click on logout, I get an error message "The SAML logout did not complete properly". I'm looking for the right endpoint logout url to put on the ADFS side. Maybe that's where the problem lies. For your information, the "SLS URL" field is filled in.

Next, I was using the OpenDCIM API service to launch scheduled tasks. Since I was using basic authentication, I was able to connect easily with my Python script. But I have no idea how to adapt the authentication part to work with SAML.
Maybe I can use SAML authentication for my clients and basic authentication for the api account at the same time.

Thank you in advance.

Best regards,
Mathis

[samilliken]

Logout URL is ${base_url}/saml/sls.php When you are using Modern Auth you have to create API Tokens for each user that needs API access. Go into the People Management screen and there’s a button to generate an API token for them. That token, along with their username, gets passed in the header. Use the SWAGGER interface for examples. Scott From: MathisICDC Sent: Thursday, October 26, 2023 5:25 AM To: opendcim/openDCIM ***@***.***> Cc: Subscribed ***@***.***> Subject: [opendcim/openDCIM] SAML implementation (Discussion #1471) Hello, I am setting up SAML authentication with ADFS but I have two small problems. When I click on logout, I get an error message "The SAML logout did not complete properly". I'm looking for the right endpoint logout url to put on the ADFS side. Maybe that's where the problem lies. For your information, the "SLS URL" field is filled in. Next, I was using the OpenDCIM API service to launch scheduled tasks. Since I was using basic authentication, I was able to connect easily with my Python script. But I have no idea how to adapt the authentication part to work with SAML. Maybe I can use SAML authentication for my clients and basic authentication for the api account at the same time. Thank you in advance. Best regards, Mathis — Reply to this email directly, view it on GitHub <#1471> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY64L3VTEKY5MQS3TTDLYBIUAJAVCNFSM6AAAAAA6Q3FSRKVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZVG43TSNRXGI> . You are receiving this because you are subscribed to this thread. <https://github.com/notifications/beacon/AAMTY6ZNYIP46UM7K2UNCLLYBIUAJA5CNFSM6AAAAAA6Q3FSRKWGG33NNVSW45C7OR4XAZNKIRUXGY3VONZWS33OVJRW63LNMVXHIX3JMTHAAWBQ3A.gif> Message ID: ***@***.*** ***@***.***> >

[MathisICDC]

To avoid a new discussion, I'll put this here.
Thanks for your feedback Scott, I can get the scripts working again by connecting with the API Token.

However, I still have the same problem with the endpoint logout. I was using "${base_url}/saml/sls.php" as the endpoint, if anyone has an idea of the problem.
In the adfs, I have this as an error message "SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding."

In addition, during SAML authentication, I'm not logged in automatically, but I have to enter the user and password on the adfs page. Does anyone know why it doesn't connect automatically? Are there any SAML parameters that need to be changed?
I see this on my adfs "SAML:2.0:ac:classes:PasswordProtectedTransport", maybe that's where the problem lies?

Thank you in advance again.

Best regards,
Mathis

[LFrank2021]

Hi Mathis,
may I ask you for some help on how to write a Python script for openDCIM?
I want to write (at least) one script myself and being an absolute newbie with Python, cannot find any reliable sample on how to use the openDCIM API.

I currently have:

#!/usr/bin/env python3
import sys, argparse, json, requests, urllib3
from requests.auth import HTTPBasicAuth
import ssl

# This restores the same behavior as before.
context = ssl._create_unverified_context()

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

__author__ = 'me'
__version__ = '0.0.1'

device=""

base_url="https://opendcim.my.domain"
api="/api/v1"
projectURL=base_url+api
headers={'accept' : 'application/json', 'UserID' : 'hugo', 'APIKey' : 'myapikey'}

device="123"

response = requests.get(
    projectURL+"/pdustats/"+device,
    headers = headers,
    verify=False
)

print(response)
print(response["pdustats"])
print(response.json())

The corresponding curl command is working.

curl -k -X GET "https://opendcim.my.domain/api/v1/pdustats/123" -H  "accept: application/json" -H  "APIKey: myapikey" -H  "UserID: hugo"

Thank you in advance.

Kind regards
Frank

[LFrank2021]

I found my error, the second to last line is incorrect.
Still, if you have some advise it is welcome.

[MathisICDC]

Hello,
Here is an example of a python script I use to retrieve information about the device in my database. You just need to customize the query to get more information.
Kind regards

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


import requests
import json
from base64 import b64encode


def basic_auth(username, password):
    token = b64encode(f"{username}:{password}".encode('utf-8')).decode("ascii")
    return f'Basic {token}'


username = ######
password = #####
   
hdrs_ICDCIM = {
    'Authorization' : basic_auth(username, password)
}

url = '#########/api/v1/device'

ICDCIM_AssetTag = requests.get(url ,headers=hdrs_ICDCIM, verify=False)
ICDCIM_AssetTag = ICDCIM_AssetTag.json()

number_device= len(ICDCIM_AssetTag['device'])

print(number_device,"\n")

[samilliken]

So check in your ${base_dir}/saml/setting.php file and there will be a section for Security, with some true/false toggles. I don’t use ADFS specifically, but it’s pretty much just a very early implementation of SAML. Looking at https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-service-provider/configure-adfs-saml-connections it seems like you might have to grab the signing certificate from ADFS and use that in openDCIM for signing the logout request instead of having it autogenerate one for you. At this point you likely need your ADFS SME to jump in and help you. If that is you, well, good luck. Scott From: MathisICDC Sent: Friday, October 27, 2023 10:32 AM To: opendcim/openDCIM ***@***.***> Cc: Scott Milliken ***@***.***>; Comment ***@***.***> Subject: Re: [opendcim/openDCIM] SAML implementation (Discussion #1471) To avoid a new discussion, I'll put this here. Thanks for your feedback Scott, I can get the scripts working again by connecting with the API Token. However, I still have the same problem with the endpoint logout. I was using "${base_url}/saml/sls.php" as the endpoint, if anyone has an idea of the problem. In the adfs, I have this as an error message "SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding." In addition, during SAML authentication, I'm not logged in automatically, but I have to enter the user and password on the adfs page. Does anyone know why it doesn't connect automatically? Are there any SAML parameters that need to be changed? I see this on my adfs "SAML:2.0:ac:classes:PasswordProtectedTransport", maybe that's where the problem lies? Thank you in advance again. Best regards, Mathis — Reply to this email directly, view it on GitHub <#1471 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY6ZL4W57QKOOFT6NSMDYBPAXPAVCNFSM6AAAAAA6Q3FSRKVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TIMBUGU4DI> . You are receiving this because you commented. <https://github.com/notifications/beacon/AAMTY6YXCYZ5QXWVFJFSE4DYBPAXPA5CNFSM6AAAAAA6Q3FSRKWGG33NNVSW45C7OR4XAZNRIRUXGY3VONZWS33OINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAOD6CQ.gif> Message ID: ***@***.*** ***@***.***> >