Closed mikerees closed 5 years ago
Thanks for opening this up @mikerees. It looks like the only transient
name Id policy we are expecting is urn:oasis:names:tc:SAML:1.1:nameid-format:transient
, and not urn:oasis:names:tc:SAML:2.0:nameid-format:transient
. I'll need to dig in a bit further and discuss with our SAML expert to see why we have this limitation.
It may be as simple as adding it, I'll report back when I know more.
This is looking like just a bug on our end, how are you running FusionAuth, docker, zip or linux package?
Linux package.
Want to try a patched jar? ... or I could spin you a deb or RPM to test as well.
Whichever's easier for you
Try this, replace the existing fusionauth-samlv2
jar in the web/WEB-INF/lib
directory.
https://drive.google.com/file/d/1ZEC3FVWEqiGQuLDfgqiCjJIC3BKiIpwQ/view?usp=sharing
I appear to still be getting the same error.
Jul 02, 2019 1:38:30.570 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
java.lang.IllegalArgumentException: Invalid SAML v2.0 Name ID format [urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
at io.fusionauth.samlv2.domain.NameIDFormat.fromSAMLFormat(NameIDFormat.java:156)
at io.fusionauth.samlv2.service.DefaultSAMLv2Service.parseRequest(DefaultSAMLv2Service.java:428)
at io.fusionauth.app.action.samlv2.LoginAction.get(LoginAction.java:92)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:436)
at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:84)
at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:64)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:47)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:60)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:50)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:52)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:57)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:102)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:58)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:45)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:126)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.workflow.StaticResourceWorkflow.perform(StaticResourceWorkflow.java:97)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.parameter.RequestBodyWorkflow.perform(RequestBodyWorkflow.java:89)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:57)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:43)
at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:91)
at org.primeframework.mvc.workflow.DefaultWorkflowChain.continueWorkflow(DefaultWorkflowChain.java:44)
at org.primeframework.mvc.servlet.FilterWorkflowChain.continueWorkflow(FilterWorkflowChain.java:50)
at org.primeframework.mvc.servlet.PrimeFilter.doFilter(PrimeFilter.java:84)
at com.inversoft.maintenance.servlet.MaintenanceModePrimeFilter.doFilter(MaintenanceModePrimeFilter.java:59)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.inversoft.servlet.UTF8Filter.doFilter(UTF8Filter.java:27)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Strange, that exception shouldn't happen with the jar I sent, is it possible you have both the old and the new jar in the lib directory?
Can you provide the output (or equivalent) to this command?
ls -la web/WEB-INF/lib/fusionauth-samlv2*
Just this.
-rw-rw-r-- 1 ec2-user ec2-user 167753 Jul 2 13:34 web/WEB-INF/lib/fusionauth-samlv2-0.2.1.jar
I should clarify though that I did try renaming that file to -0.2.0.jar at one point due to some issues with FusionAuth picking it up but that is it in its current state. The checksum of that file is 4f05d5e08ea898d22b48796306ca4fa4 if that helps you confirm it's the correct version
I have tried reuploading and rebooting the service and I appear to have got past this issue. I'm now getting configuration issues that I should be able to resolve by myself. Thanks for the assistance!
Ah, ok, yes, I should have mentioned you would need to restart the web service. That checksum is correct.
Thanks for testing that out for us, we will get that fixed in the upcoming release.
If you have any other feedback on our SAML configuration or support that would make this easier for you, please pass it along!
Thanks @mikerees
Available in 1.7.3
Invalid SAML v2.0 Name ID format on attempt to redirect SP to FusionAuth Login URL
Description
Attempts to redirect a user from a Service Provider to the relevant application's SAML v2 Login URL causes a 500 internal server error. Nothing gets logged to the event log, but fusionauth-app.log is saying that there is an invalid SAML v2.0 name ID format being passed. The metadata passed contains the Name ID policy urn:oasis:names:tc:SAML:2.0:nameid-format:transient which is a valid Name ID policy. I have also encountered this same issue using the persistent 2.0 Name ID policy.
Steps to reproduce
Expected behavior
A login screen to be presented that allows a user to log in with their FusionAuth user account, and for FusionAuth to then redirect to the ACS URL with a SAML response payload.
Platform
(Please complete the following information)
Additional context
The stacktrace for the error in fusionauth-app.log is as follows:
The SAML SP Metadata file is attached. metadata.txt