search

OpenConext / OpenConext-engineblock

OpenConext SAML 2.0 IdP/SP Gateway
14 stars 22 forks source link

Wrong error message shown #447

Open baszoetekouw opened 6 years ago

baszoetekouw commented 6 years ago

When a signature is required for a AuthnRequest (for example, if the ACSlocation in the request is not registered in SR), and the signature verification fails (or the request is unsigned), Engineblock shows the wrong error message: "Error - Invalid Identity Provider response".

screenshot_20170904_170138_1276x2110

The EB log shows, otoh:

EngineBlock_Corto_Module_Bindings_VerificationException: Validation of received messages enabled, but no signature found on message.
#0 /opt/openconext/OpenConext-engineblock-5.4.0/library/EngineBlock/Corto/Adapter.php(137): EngineBlock_Corto_Module_Bindings->receiveRequest()
#1 /opt/openconext/OpenConext-engineblock-5.4.0/library/EngineBlock/Corto/Adapter.php(304): EngineBlock_Corto_Adapter->_getRequestInstance()
#2 /opt/openconext/OpenConext-engineblock-5.4.0/library/EngineBlock/Corto/Adapter.php(154): EngineBlock_Corto_Adapter->_getIssuerSpEntityId()
#3 /opt/openconext/OpenConext-engineblock-5.4.0/library/EngineBlock/Corto/Adapter.php(42): EngineBlock_Corto_Adapter->_filterRemoteEntitiesByRequestSp()
#4 /opt/openconext/OpenConext-engineblock-5.4.0/src/OpenConext/EngineBlockBundle/Controller/IdentityProviderController.php(94): EngineBlock_Corto_Adapter->singleSignOn(NULL)
#5 [internal function]: OpenConext\EngineBlockBundle\Controller\IdentityProviderController->singleSignOnAction(NULL, NULL)
#6 /opt/openconext/OpenConext-engineblock-5.4.0/app/bootstrap.php.cache(3222): call_user_func_array(Array, Array)
#7 /opt/openconext/OpenConext-engineblock-5.4.0/app/bootstrap.php.cache(3181): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1)
#8 /opt/openconext/OpenConext-engineblock-5.4.0/app/bootstrap.php.cache(3335): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#9 /opt/openconext/OpenConext-engineblock-5.4.0/app/bootstrap.php.cache(2540): Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#10 /opt/openconext/OpenConext-engineblock-5.4.0/web/app.php(22): Symfony\Component\HttpKernel\Kernel->handle(Object(Symfony\Component\HttpFoundation\Request))
#11 {main}
thijskh commented 6 years ago

Right - EngineBlock_Corto_Module_Bindings_VerificationException is thrown when there's something wrong with a signed message (other than the signature failing); that's usually an IdP message (assertion) but can be an SP message (signed authn request - in this case, must be signed but isn't). So the words "Identity Provider" are certainly wrong there.

Probably best to split this out into some more specific exceptions, at least per type of message (request / response), especially the one quoted above.

thijskh commented 6 years ago

Very related: #391