search

SAML-Toolkits / wordpress-saml

OneLogin SAML plugin for Wordpress
MIT License
65 stars 75 forks source link

There was at least one error processing the SAML Response: invalid_response #99

Closed jdhoneatt closed 3 years ago

jdhoneatt commented 3 years ago

Working with IdP, HaloE, on WordPress sites hosted with WPEngine. When trying to access the site's home url, I am redirected to our SSO page, put in credentials, and then am redirected to a page that states:

"The status code of the Response was not Success, was Requester There was at least one error processing the SAML Response: invalid_response Contact the administrator" At the url like: https://{mywordpresssite.url}/wp-content/plugins/onelogin-saml-sso/alternative_acs.php

I currently have Debug Mode checked. Without it checked, the first line of text is not there.

Removing '/wp-content/plugins/onelogin-saml-sso/alternative_acs.php' from the URL bar and pressing enter does allow access.

Trying to access https://{mywordpresssite.url}/wp-admin instead of the home url redirects to our SSO page, put in credentials, and am redirected to the WordPress Admin Dashboard, no error.

I do have the Alternative ACS Endpoint checked as that is what we have always done for WPEngine.

Force SAML Login is also checked as we do not want anyone accessing the site without authenticating first.

Hoping you might be able to point us in the right direction to resolve the issue.

jdhoneatt commented 3 years ago

In researching a little further and reviewing some SAML Traces, we have found that the reason the invalid_response is occuring is because the SAMLResponse is more that 5 minutes old according to the timestamps.

Examples: At 2020-07-29 2:57:56 GMT:

I tried to login and a SAMLRequest was generated with IssueInstant="2020-07-29T02:42:08Z", which is 15 minutes old so the SAML IdP returns an error in the SAMLResponse and login fails - The IdP states that the IssueInstant has to be within 5 minutes of the request.

At 2020-07-29 3:07:30 GMT:

I tried to login again and a SAMLRequest was generated with IssueInstant="2020-07-29T02:59:55Z", which was over 7 minutes old, so it resulted in failure.

At 2020-07-29 3:10:36 GMT:

I tried to login and a SAMLRequest was generated with IssueInstant="2020-07-29T02:36:19Z", which was 34 minutes old, so it resulted in a failure.

The IdP is stating this is a SP issue. Is there anything in the onelogin-saml-sso plugin that would cause the SAMLResponses' timestamps to be so random and so far off?

pitbulk commented 3 years ago

This issue seems related to a machine that is not sync witht the real time, so the SAML toolkit generates Messages assigning wrong times.

Or is the IdP's machine the one that is not with the right time.