REDMINE COOKBOOK
Blog Hosting Contact Author
27-01-2017 Aleksandar Pavic

Configuring Redmine authenticaiton with onelogin

So from some reason you need to configure Redmine login to work via Onelogin, but it does not work via one click install, does it?

No, well it requires some configuration (and prior to writing this post it required some coding as well...).

So, first things first:

Onelogin part of the setup:

1. Create your Onelogin account, if you already don't have one
2. Login to Onelogin and go to Apps | Add Apps
3. In Find box type Redmine and choose the result as on this image:
4.  On next screen make sure that under Connectors section, SAML radio button is selected and click SAVE
5.  After save you will see following screen with several tabs:
6. Click on Configuration tab and enter your redmine server's URL, for example: http://redmine.redminecookbook.com

7. Then go to Parameters tab and choose values for lastname and username

8. Configure mapping (manually) or via Users | Mappings


That's it, now we are going to Redmine part...

1. Checkout my fork of chrodrigez-es redmine_omniauth_saml so:
navigate to your redmine installation's plugins directory

cd /home/acosonic/redmine/plugins
git clone https://github.com/acosonic/redmine_omniauth_saml.git

 2. Follow the instructions from github's readme.
You need to copy sample initializer.rb to /path/to/your/redmine/config/initalizers and rename it to onelogin.rb
 3. Paste the values from Onelogin's SSO tab to onelogin.rb
So your onelogin.rb file will look like this:
 

 config.saml = {
    :assertion_consumer_service_url => "http://redminecookbook.com/auth/saml/callback", # OmniAuth callback URL
    :issuer                         => "https://app.onelogin.com/saml/metadata/111111",                    # The issuer name / entity ID. Must be an URI as per SAML 2.0 s$
    :idp_sso_target_url             => "https://acosonic.onelogin.com/trust/saml2/http-post/sso/111111", # SSO login endpoint
    :idp_cert_fingerprint           => "AA:AA:AA:AA:AA:6A:6A:FA:DA:2D:03:05:2B:94", # SSO ssl certificate fingerprint
    # Alternatively, specify the full certifiate:
    #:idp_cert                       => "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
    :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
    :signout_url                    => "https://acosonic.onelogin.com/trust/saml2/http-redirect/slo/111111", # Optional signout URL, not supported by all identity provide$
    :idp_slo_target_url             => "https://acosonic.onelogin.com/trust/saml2/http-redirect/slo/111111",
    :name_identifier_value          => "mail", # Which redmine field is used as name_identifier_value for SAML logout
    :attribute_mapping              => {
    # How will we map attributes from SSO to redmine attributes
      :login      => 'extra.raw_info.username',
      :mail       => 'extra.raw_info.email',
      :firstname  => 'extra.raw_info.firstname',
      :lastname   => 'extra.raw_info.lastname'
    }
  }

4. Perform standard plugin installation:

bundle exec rake redmine:plugins:migrate RAILS_ENV=production
bundle exec rake redmine:plugins  RAILS_ENV=production

5. Restart redmine and configure your plugin under Administration | Plugins | Redmine omniauth SAML | Configuration
 6. Enter some name like "Onelogin"
 7. Test the installation (you should see Onelogin button) at Redmine's login page, clicking it will take you to Onelogin you enter Onelogin username and password and you are redirected back to Redmine