External login removes user from usergroup

Problem: I just upgraded to foreman 2.2 and it seems that after I modify the HTTP_REMOTE_USER to REMOTE_USER and I manage to login into foreman my user is getting removed from the User group in which it should be according to my AD group.
The only rights that are left are those who were manually added in foreman WebUI. It seems like it’s not looking anymore at group data received from AD

Expected outcome:
Login with user and keep the user in usergroup

**Foreman and Proxy versions:**2.2.3

Foreman and Proxy plugin versions:

Distribution and version: CentOS 7

Other relevant data:
I looked into logs but did not manage to find any relevant data on which headers are being received to see if maybe the group header is not received. Any ideea of where should I look next?
Many thanks

Note: I am using EXTERNAL login with SSO SAML with mod_mellon and not LDAP

After some more digging I have not yet figured it out, maybe headers for users are not passed to Puma?

I tried updating to 2.5 with Puma and my SSO login fails every time, I cannot even log in using SSO, not to mention the previous issue.
I get redirected when entering /users/extlogin to the external login page but after I login it falls back to /users/login

I tried setting HTTP_REMOTE_USER header as in lookup_identity.conf since I do not use FreeIPA, thought maybe it was an env var issue, but no luck. I checked the vars that are set in my mellon config.

Anyone has any thoughts?

I remember there were changes of headers passing after we moved from passenger to puma deployment, which uses ProxyPass in Apache. @ekohl may remember or have some pointers.

The next step I will try to make is to use mod_openidc instead of mod_mellon to enable SSO login and reconfig the server as explained in the official docs and to see if the problem persists is still there

Not sure if you’re still having trouble with this but I managed to get my server working and here’s what I did.

(I have the same setup as yours - EXTERNAL login with SSO SAML with mod_mellon and not LDAP.)

Some of the issues that I encountered:

  1. Users being removed from usergroups when they log-out then log-in. - happens when REMOTE_USER_GROUPS env variable is not passed to puma.
  2. User email information is not passed to foreman so users are asked to enter an email on first login. - happens when REMOTE_USER_EMAIL env variable is not passed to puma.
  3. Forwarded back to foreman login page (https://foreman.server/users/login) after entering the credentials in our custom IDP. - happens when REMOTE_USER env variable is not passed to puma.

All these issues were related to Environment variables not being passed to puma.

Heres my mellon configuration

<Location />
    MellonEndpointPath /saml2/
    MellonSPMetadataFile /etc/httpd/saml2/
    MellonSPPrivateKeyFile /etc/httpd/saml2/
    MellonSPCertFile /etc/httpd/saml2/
    MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml
    MellonIdP IDP
    MellonEnvVarsSetCount On
    MellonMergeEnvVars On ":"
    MellonEnvVarsIndexStart 1
    MellonSetEnvNoPrefix REMOTE_USER NAME_ID
    MellonSetEnvNoPrefix REMOTE_USER_EMAIL <your claims friendlyname here>
    MellonSetEnvNoPrefix REMOTE_USER_GROUPS <your claims friendlyname here>


<Location /saml2>
    MellonEnable info

<Location /users/extlogin>
    AuthType Mellon
    MellonEnable auth
    Require valid-user

Then I added the request header directives to the foreman config.

vi /etc/httpd/conf.d/05-foreman-ssl.conf

     65   RewriteCond %{HTTP:Upgrade} =websocket [NC]
     66   RewriteRule /(.*) ws://$1 [P,L]
     67   RequestHeader set REMOTE_USER "%{REMOTE_USER}e"
     69   RequestHeader set REMOTE_USER_EMAIL "%{REMOTE_USER_EMAIL}e"
     70   RequestHeader set REMOTE_USER_GROUPS "%{REMOTE_USER_GROUPS}e"

Now Im trying to figure out how to make the auto created users join the default organization and default location

Hope this helps :slightly_smiling_face:

Thanks @delfinebuejr for advice, I tried different configs, slightly different than yours and didn’t work. I finally installed a Keycloak instance and right now I am using OpenID Connect with Keycloak as IDP, and my IDP syncs with Microsoft Azure AD.