Configure SAML is not working with DEX

[jenningsloy318]

Hi All,

I just configure dex to integrated with my corp's IDP service, through the saml connector example, seems not working right now. dex will redirect to IDP, but no login screen appears.

Backgroud: Our IDP service is co-work with UAA and provide the SSO for Cloud Foundry platform, the configureation need to involves trust configuration between them which is work perfectly. I want to use dex to replace UAA part with the IDP to provide the auth for kubernetes cluster in my testing env. The trust configuration in both UAA and IDP is achieved by importing a metadata.xml file, in UAA side, it will add following four parameters:

 - Single Sign-On URL (Redirect Binding)
 - Single Sign-On URL (Post Binding)
 - Single Logout URL (Redirect Binding)
 - Single Logout URL (Post Binding)

with same value: https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain> and plus an signning certificates of the IDP URL

in IDP part, sill several configuration is needed:

Field	Description	value
Name	The entity ID of the service provider.	csc-devops-test-pt1.canary
Assertion Consumer Service Endpoint	The SP's endpoint URL that receives the response with the SAML assertion from Identity Authentication.	https://csc-devops-test-pt1.<UAA domain>/saml/SSO/alias/csc-devops-test-pt1.canary
Single Logout Endpoint	The SP's endpoint URL that receives the logout response or request (for a multiple SPs scenario) from Identity Authentication for the termination of all current sessions.	it has two items configured, both HTTP-Post and HTTP-Redirect are set to https://csc-devops-test-pt1.<UAA domain>/saml/SingleLogout/alias/csc-devops-test-pt1.canary,
Signing Certificate	A base64-encoded certificate used by the service provider to sign digitally SAML protocol messages sent to Identity Authentication.	certificates of the UAA url

Dex Configuraion:

as switched to DEX, thant is repllceing UAA with DEX to integrate with IDP service. I set dex with following parameters:

    issuer: https://dex.<my domain>
    storage:
      type: etcd
      config:
        # list of etcd endpoints we should connect to
        endpoints:
          - https://<etcd addr>:2379
        namespace: dex
        ssl:
          caFile: /etc/etcd/etcd-ca
          keyFile: /etc/etcd/etcd-key
          certFile: /etc/etcd/etcd-cert
    web:
      http: 0.0.0.0:5556
      #tlsCert: /etc/dex/tls/tls.crt
      #tlsKey: /etc/dex/tls/tls.key
    connectors:
    - type: saml
      # Required field for connector id.
      id: saml
      # Required field for connector name.
      name: SAML
      config:        
        ssoURL: https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>
        ca: /tmp/idp-ca.pem
        redirectURI: https://dex.<my domain>/callback
        entityIssuer: https://dex.<my domain>/callback
        ssoIssuer: https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>
        usernameAttr: name
        emailAttr: mail
        groupsAttr: Groups # optional        
        groupsDelim: ","        
    nameIDPolicyFormat: persistent
    #oauth2:
      #skipApprovalScreen: true
    logger:
      level: debug
      format: text 
    staticClients:
    - id: kubernetes
      redirectURIs:
      - 'http://127.0.0.1:5555/callback'
      name: 'kubernetes'
    enablePasswordDB: true

on the IDP side,the name is set to saml, three URL I set is https://dex.<my domain>/callback, and import the dex certificates.

Problem

When I use example-app to get the token, it will redirect to the URLhttps://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>， but neither login screen appears nor redirect to https://dex.<my domain>/callback, just gave me an error

Can any one help me to configure it?
mages.githubusercontent.com/10169236/34887793-b39256e8-f802-11e7-8db1-d4adfdc1ac83.png)

Can any one help me to configure it?

The main problems is: when login with example-app, via http://ip:5555/login, it will redirect to https://dex.<my domain>/auth?client_id=kubernetes&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=audience%3Aserver%3Aclient_id%3Akubernetes+openid+profile+email+offline_access&state=I+wish+to+wash+my+irish+wristwatch and then when I choose Login with SAML then redirect to https://dex.<my domain>/auth/saml?req=va46pbjbpmyt7e22v2wb4j7gz and then https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>. but for a usable redirect, it should be https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>?SAMLRequest=va46pbjbpmyt7e22v2wb4j7gz, append ?SAMLRequest=va46pbjbpmyt7e22v2wb4j7gz to the ssoURL, but actually not.

useable example of UAA quest:

https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>?SAMLRequest=jZJRT9swFIX%2FiuX3JE6adJnVFHWrEJVgRCTsYW%2B3tmktJXbwdarx73HTwpgYaK%2F2Oee7uucuLn73HTkoh9qaiqYxo0QZYaU2u4ret5dRSS%2BWC4S%2Bywa%2BGv3e3KnHUaEnwWiQn34qOjrDLaBGbqBXyL3gzermmmcx44Oz3grbUbJCVM4H1HdrcOyVa5Q7aKHu764ruvd%2BQJ4kAkWkeoxGlKq3EfoshgBWxmsBR3OMMMR7MBBbEyRgZCxsnxxHSZrmNoFOA%2F4rRgSPe6JkHebXZsp6jz3ihLCj8Zgz9h6RJVoOCaL9Hwcll9YJNS2uog%2FQoaJks64oFLn8Akrst6xkooBcyrwod8V2N58XX8sgwhoQ9UH9sSGOamPQg%2FEVzVhaRiyN0lnLMp6nnBXxbD77RUl9Xvc3bU41ftbN9iRCftW2dVTfNi0lP1%2FOIQjouXw%2B0d3b1j8Phpeq6fLDJhbJ2%2BzXM%2FsRwjbr2nZaPB3314P%2FmJXG6fSiZfQwSXlYvu5WUjqFSJPlGfL39S6fAQ%3D%3D&RelayState=cloudfoundry-uaa-sp&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=ZJSC2ngUWtpyIssJaemDxlD5JAnqhSBIDfb8yhaBsVMibr%2Fw4wWBswUqpwpIKzHtxAdhvPbBPbrH6gF%2BkUr6PdZ9s1KXy7ZYFnh0He6%2FqHB1hO24kFzl7%2BoW5AYdoI4J6vW2%2BMK9ELlF2B1qQZsL2cXyb8ZdDc1aVcSwgs9AiAb0p5gBE7pDiuETDI8GI65u9Ck2NljlLp%2BXhl9rjcq8UKKO7AJbc1RXKOwQiPYqSQLLrioooTLaxRJSlFTQNknx1jUXOXu7ZMF8I%2FFcj06vFMpnPNfhKsA07G0yCCyPCrnT0U4hxktcYMTFcINPs7gV4VKpjqRPc8%2F%2BOB5VyXwWrQ%3D%3D

/ help wanted

[ericchiang]

Any error messages or other hints from UAA about why it can't process dex's request? It's hard to know how to help otherwise.

[jenningsloy318]

I don't use UAA, I replce UAA with DEX to integrate with IDP service. there is no logs showing what is wrong in the DEX side.

[srenatus]

@jenningsloy318 Can you configure your IdP to expect an AuthnRequest via the HTTP Post Binding? Your expectation,

but for a usable redirect, it should be https://csc-devops-test.<IDP domain>/saml2/idp/sso/csc-devops-test.<IDP domain>?SAMLRequest=va46pbjbpmyt7e22v2wb4j7gz, append ?SAMLRequest=va46pbjbpmyt7e22v2wb4j7gz to the ssoURL, but actually not.

describes the HTTP Redirect Binding, which dex doesn't support (see the docs, and this comment).

More details on bindings can be found here, sections 3.4.5 and 3.5.5.

[jenningsloy318]

@srenatus

Thanks,but i find it is difficult to configure at IDP side

[srenatus]

@jenningsloy318 I'm afraid the only other option would be to implement the HTTP Redirect Binding in Dex. Not like I know much about any, but what IdP is it? Maybe some passer-by has insights to share...?

[jenningsloy318]

@srenatus

It is an IDP provided by SAP, we bought their IDP service alongside with Cloud Foundry service.

[srenatus]

@jenningsloy318 I see. Also, I have no idea how to help with that. I'd ask their support for getting help with switching the SAML binding type. (Unless you'd want to implement the Redirect Binding in Dex 😉 )

[jenningsloy318]

@srenatus I am a sysadm with poor programming skills, so ...😉

[srenatus]

@jenningsloy318 I've taken a stab at it, thinking that it couldn't be too hard to add that Binding. @ericchiang What do you think, could we get this in? 😃 It'll help our users, for sure, by removing this arbitrary restriction when it comes to supporting SAML2.

[jenningsloy318]

@srenatus Thanks for your info, hope we can get it resoved soon.

[ghost]

Hey @jenningsloy318

I see you're using on demand solution of SAP Cloud Identity, I had the same error which in fact tells nothing...

In my case this error occurred when :

• I had wrong SP in AuthnRequest url (it has to match name in the SAML2 configuration of your application(Service Provider), you can check it in admin console of your tenant in SCP. I have multiple applications registered, therefore I have to add it as query param in url.

• I did not have proper issuer in AuthnRequest - In dex configmap I had to add entityIssuer property with value of registered SP so it looks like entityIssuer: MY_SP_NAME. If you have your SP registered with name https://dex.<my domain> I think you should change your entityIssuer from https://dex.<my domain>/callback to dex.<my domain>

My working dex configuration with SCP IAS :

   config:
        # Issuer for SAML Request
        entityIssuer: dex.{{ .Values.global.domainName }}
        # I have multiple SP registered so I have to specify which one to use in SCP IAS
        ssoURL: https://{{ .Values.idp.tenant }}.{{ .Values.idp.domain}}/saml2/idp/sso?sp=dex.{{ .Values.global.domainName }}
        ca: {{ .Values.idp.ca }}
        redirectURI: https://dex.{{ .Values.global.domainName }}/callback
        usernameAttr: first_name
        emailAttr: mail
        groupsAttr: groups

I did not have to change bindings, I'm using helm, so replace {{ }} with your data

[jenningsloy318]

— @DebugIT Thanks for info. I will test it after the vocation.

[jenningsloy318]

@DebugIT I tried your recommendations, but still got no luck. Can you advise if I'd make some changes on the IAS side ?