HTTP 400 Unable to verify your data submission

[nickdunn]

I'm setting up SAML SP against Azure AD, running Craft in an Azure App Service (Docker).

I've done this before for another site and it's working fine, but I'm bashing my head against the table this time.

• Plugin is configured following the excellent https://www.youtube.com/watch?v=Y1rau_dkdAU
• Azure AD configured
• 'requireResponseToBeSigned' => false added to saml-sp.php per https://github.com/flipboxfactory/saml-sp/issues/128
• loginPath amended (/paaas/sso/login/f216933b-1c03-47a6-815c-47d1eae99b55)

(Note that my Craft instance is multi-site, one called paaas but all sites served as sub-paths on the same domain. Not sure if that makes a difference. I'm just using SAML for the Craft login, edits manage all sites in the instance.)

After authenticating Azure site I am redirected back to my loginPath (/paaas/sso/login/f216933b-1c03-47a6-815c-47d1eae99b55) but Craft returns a 400:

yii\web\BadRequestHttpException: Unable to verify your data submission. in /var/www/craft/vendor/yiisoft/yii2/web/Controller.php:218
Stack trace:
#0 /var/www/craft/vendor/craftcms/cms/src/web/Controller.php(138): yii\web\Controller->beforeAction(Object(yii\base\InlineAction))
#1 /var/www/craft/vendor/craftcms/cms/src/controllers/UsersController.php(137): craft\web\Controller->beforeAction(Object(yii\base\InlineAction))
#2 /var/www/craft/vendor/yiisoft/yii2/base/Controller.php(179): craft\controllers\UsersController->beforeAction(Object(yii\base\InlineAction))
#3 /var/www/craft/vendor/craftcms/cms/src/web/Controller.php(190): yii\base\Controller->runAction('login', Array)
#4 /var/www/craft/vendor/yiisoft/yii2/base/Module.php(534): craft\web\Controller->runAction('login', Array)
#5 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(271): yii\base\Module->runAction('users/login', Array)
#6 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(584): craft\web\Application->runAction('users/login', Array)
#7 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(250): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#8 /var/www/craft/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest(Object(craft\web\Request))
#9 /var/www/craft/web/index.php(22): yii\base\Application->run()
#10 {main}

I can't see any other errors in the logs. This kind of suggests it's a CSRF issue but I don't know why.

[nickdunn]

I've set enableCsrfProtection to false and I now get:

yii\web\BadRequestHttpException: Request missing required body param in /var/www/craft/vendor/craftcms/cms/src/web/Request.php:894
Stack trace:
#0 /var/www/craft/vendor/craftcms/cms/src/controllers/UsersController.php(158): craft\web\Request->getRequiredBodyParam('loginName')
#1 [internal function]: craft\controllers\UsersController->actionLogin()
#2 /var/www/craft/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#3 /var/www/craft/vendor/yiisoft/yii2/base/Controller.php(181): yii\base\InlineAction->runWithParams(Array)
#4 /var/www/craft/vendor/craftcms/cms/src/web/Controller.php(190): yii\base\Controller->runAction('login', Array)
#5 /var/www/craft/vendor/yiisoft/yii2/base/Module.php(534): craft\web\Controller->runAction('login', Array)
#6 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(271): yii\base\Module->runAction('users/login', Array)
#7 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(584): craft\web\Application->runAction('users/login', Array)
#8 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(250): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#9 /var/www/craft/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest(Object(craft\web\Request))
#10 /var/www/craft/web/index.php(22): yii\base\Application->run()
#11 {main}

This feels like an issue maybe Azure side, it not sending a payload back correctly?

[dsmrt]

:wave: @nickdunn,

I think the prefix /paaas is messing with the intended endpoint. The stack trace shows that it's not getting to the correct saml plugin controller. The plugin doesn't use the craft login controllers so that is a good hint it's not getting to the correct place. Try removing the /paaas and see where that gets you (I think the redirects we get from craft should handle the baseUri accordingly).

[nickdunn]

👋

Should I remove this from loginPath and from the generated ACS and SLO URIs?

[dsmrt]

Yes. If they are in the generated ACS and SLO, I may need to look at that. That might be a bug.

Let me know how that goes.

[nickdunn]

We changed all 3 but when I log in now AD gives me the error:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'https://knowledge-app-service-dev.azurewebsites.net/'.

So I think this may be a bug with the plugin including the site prefix in the URLs?

[nickdunn]

[dsmrt]

For a quick fix for now, you can edit the metadata xml directly in the database table saml_sp_providers and remove the prefix (where ever it’s found), at least until I understand fully what needs to be fixed.

To confirm, i’ve see multi-site and localization change over the years, so i want to confirm the confirmation. Are you using the following setup: https://craftcms.com/docs/3.x/sites.html#creating-a-site

Basically, are using templates subfolders to segment the sites… with the added paaas as a suffix to the site url site url in the site settings?

[nickdunn]

Yep that's my setup. I have two sites, each with their own base URLs, neither of which are the root. Maybe this is where it's going wrong.

So I've now created a third site as the default that has the domain root as its base URL (and an index.twig there that redirects to my /paaas URL which is my default for frontend users). Hopefully I can then choose this pseudo-site when configuring SAML-SP and it won't then add any handle/slug into the URLs. Will report back.

[nickdunn]

@dsmrt I'm just setting this up again on a new domain (a new dev environment for the same project) and after upgrading Craft and SAML-SP to latest I noticed the IDP log in path now contains /request/. Should it?

Login path: /sso/login/request/2fb73547-d830-4c64-a6f6-e9a4715cba6b Logout Path: /sso/logout/request/2fb73547-d830-4c64-a6f6-e9a4715cba6b

If I just hit this URL myself (/sso/login/request/2fb73547-d830-4c64-a6f6-e9a4715cba6b) I get a 400 from LoginController, whereas if I remove the /request/ part (/sso/login/2fb73547-d830-4c64-a6f6-e9a4715cba6b) and hit directly I at least get an exception from saml2/HTTPRedirect.php, which is more what I'd expect.

Is that a bug?

[dsmrt]

The endpoint with request in it kicks off sso, so yes, that should be there. The one without request receives the Response and login the user in.

What error do you see here?

400 from LoginController

[nickdunn]

yii\web\HttpException: Service Provider is not found. Possibly a configuration problem. My Provider/Current EntityId: https://knowledge-app-service-dev.azurewebsites.net/ in /var/www/craft/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php:216
Stack trace:
#0 /var/www/craft/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php(262): flipbox\saml\sp\controllers\LoginController->throwSpNotFound()
#1 [internal function]: flipbox\saml\sp\controllers\LoginController->actionRequest('2fb73547-d830-4...', NULL)
#2 /var/www/craft/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#3 /var/www/craft/vendor/yiisoft/yii2/base/Controller.php(181): yii\base\InlineAction->runWithParams(Array)
#4 /var/www/craft/vendor/yiisoft/yii2/base/Module.php(534): yii\base\Controller->runAction('request', Array)
#5 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(277): yii\base\Module->runAction('saml-sp/login/r...', Array)
#6 /var/www/craft/vendor/yiisoft/yii2/web/Application.php(104): craft\web\Application->runAction('saml-sp/login/r...', Array)
#7 /var/www/craft/vendor/craftcms/cms/src/web/Application.php(262): yii\web\Application->handleRequest(Object(craft\web\Request))
#8 /var/www/craft/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest(Object(craft\web\Request))
#9 /var/www/craft/web/index.php(22): yii\base\Application->run()
#10 {main}

[nickdunn]

Sorry, I think I'm chasing a red herring here! Safe to ignore.

Going back to the original issue and will report back.

[nickdunn]

All good once I added this extra site into my setup. So I'm guessing a bug with this plugin whereby it's adding the site handle or base URL incorrectly... but at least I have a workaround for now. Thanks for the support!

[nickdunn]

RTFM — you've basically already described this here https://saml-sp.flipboxfactory.com/examples/multi-site-with-cp-login.html#solution

[dsmrt]

Just to clarify, you have everything working as it should now? With that new site you created?

I guess i forgot about those docs i wrote 😅

[nickdunn]

Yep all good now, thank you.

[dsmrt]

Great! I think this issues will help others and appreciate your patience! I’ll close this for now. Thanks