Destination in response does not match the expected destination

flipboxfactory / saml-sp

SAML Service Provider (SP) Plugin for Craft CMS

https://saml-sp.flipboxfactory.com/

Other

19 stars 5 forks source link

Destination in response does not match the expected destination #139

Closed ampmtm closed 3 years ago

ampmtm commented 3 years ago

Hi @dsmrt!

Getting the following error after updating to version 2.7:

Errors during validation: Destination in response "https://www.example.com/sso/login/[sp-uid]" does not match the expected destination "/sso/login/[sp-uid]"Recipient in SubjectConfirmationData ("https://www.example.com/sso/login/[sp-uid]") does not match the current destination ("/sso/login/[sp-uid]")

I see that SubjectConfirmationData was in part of the update.

Any ideas?

dsmrt commented 3 years ago

Not sure if anything has changed there recently.

It might have something to do with the somewhat recent change with supporting multi-site. I wonder if you go to the provider (My Provider), then save, will it fix it?

ampmtm commented 3 years ago

No luck there. We tried starting over from scratch without success as well.

dsmrt commented 3 years ago

Does the site that is assigned to "My Provider" have an empty or null baseUrl? Can you check that?

Look at this in flipboxfactory/saml-core: https://github.com/flipboxfactory/saml-core/blob/3431a7db283c1a5f738b9eb8e02a0a4582bb8053/src/services/Metadata.php#L239-L245

Or more importantly, look here: https://github.com/flipboxfactory/saml-core/blob/3431a7db283c1a5f738b9eb8e02a0a4582bb8053/src/helpers/UrlHelper.php#L87

One last thing ... Look in the metadata at the assertion consumer service. I assume it's a uri ("/sso/login/[sp-uid]") and not the full url like below.

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.localhost:8081/sso/login/cb1df1bf-1f72-4812-8ae4-d7b88e720c6a" index="1"/>

ampmtm commented 3 years ago

The site field is populated with our default site, not seeing anything out of the ordinary there.

The ACS Bindings are just relative URLs as you mentioned: /sso/login/[sp-uid]

dsmrt commented 3 years ago

Under the site settings does it have a base url and does it resolve? or is it null/empty? Take a look at my screenshot and notice it has a base url and it set to an environmental variable.

Screen Shot 2021-10-05 at 2 30 24 PM

If you just want to fix it ... you can edit the correct metadata xml in the saml_sp_providers table. You'll edit the AssertionConsumerService node to be the full correct URL, like so:

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.localhost:8081/sso/login/cb1df1bf-1f72-4812-8ae4-d7b88e720c6a" index="1"/>

dsmrt commented 3 years ago

This is a bug. When "This site has it's own base URL" isn't checked, the AssertionConsumerService isn't fully populated correctly. I think we can handle this easily by falling back to the ...

UrlHelper::baseUrl()

... method when this site setting isn't configured. Just need to add an extra check.

Thank you @ampmtm for your help with this!

ampmtm commented 3 years ago

Thanks as always for your help, @dsmrt!

dsmrt commented 3 years ago

Fixed in 2.7.3