Enable SAML using AWS IAM Identity Center

[luciano-buono]

Debug mode

• I have enabled debug mode
• I have read checked the Common Issues page

Describe the bug

Identity Center has custom applications that allow you to integrate its own Users Directory to be used and authenticate with it into your own made applications.

https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-setup.html

Once you finish the setup, a new App appers on the https://DOMAIN.awsapps.com/start#/ launcher, which you can click to initiate the AUTH flow into your app.

So, we have to 'possible' ways to log into Snipe using SAML:

1. Start flow from https://inventory.DOMAIN.cloud/login/saml

2. Start flow clicking in AWS launcher snipe-it app

3. Using normal flow, I can see (using SAML-TRACER app) that a SAML AuthnRequest request is sent to https://portal.sso.us-west-2.amazonaws.com/saml/assertion/.... however, AWS denied the petition with a 403
   

So I'm not sure here, but it looks like AWS is not allowing the auth flow to be started from custom app, it has to be started from their own. (Anyone can confirm?)

2. Using AWS app launcher, looks like they directly send an SAMLResponse, not expecting a SAMLAuthnRequest first.
   

And here I have tried many snipeit paths but none of them works:

Setting the app

Reproduction steps

...

Expected behavior

Should be able to login

Screenshots

No response

Snipe-IT Version

Docker version v6.33

Operating System

Docker version v6.33

Web Server

Docker version v6.33

PHP Version

Docker version v6.33

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

[welcome]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

[luciano-buono]

### FIXED

In case anyone also wants to setup SAML with AWS, this is the (quite misterious) settings I needed to update:

1. Set email as mapping username and also set baseurl (in case you are also behind an ingress proxy):
   Attribute Mapping - Username = email
   SAML Custom Settings: baseurl=https://DOMAIN/saml

2. Inside Identity Center custom app, MAKE SURE that you leave empty the Application Start URL (I tried to many paths like /, /login/saml, /saml/acs, and none worked). Once it was empty, SAMLResponse was finally sent by AWS to snipeit

3. SAML Audience must be set to root path, not /SLS as SnipeIT docs reccomends
   

4. Set email user mapping in order to mach SnipeIT expected value
   

5. Create users in SnipeIT with email as its username

[iv-stdoutlabs]

I confirm Luciano's setup. The same way it works for me, with the difference of the email -> username.

For the username to work leave "Attribute Mapping - Username" empty in SnipeIT (step 1) and add attribute mapping "NameId" -> "${user:name}" in AWS (step 4). Leave everything else as per Luciano's answer.

[MarkGStockwell]

Hi Guys.... I can thankyou enough for posting this! we spent days trying various combinations

[christophermarklee]

@luciano-buono you are a god among men, thank yoU!