tekstrand
commented
3 years ago Closed tekstrand closed 3 years ago
tekstrand
commented
3 years ago tekstrand
commented
3 years ago @dsmrt heads up it seems this is still an issue in 2.7.3
dsmrt
commented
3 years ago This one looks slightly different since the domain is present in your error.
Is this error showing from an IdP initiated login? Like are you trying to login starting from the IdP? Or is the login initiated from Craft?
If it is the same error as the other issue(and you may want to try this first), you can try:
flipboxfactory/saml-core is at version 3.4.1tekstrand
commented
3 years ago This error is shown from both IdP and Craft initiated logins.
We've attempted resaving the provider and verified that saml-core is at 3.4.1
dsmrt
commented
3 years ago Ok. Bare with me. I’m traveling and responding on the road. 🤪
3 fixes possible here …
I believe the best way to fix this is share the your metadata (“My Provider”/the sp provider xml)with the IdP again. The Assertion Consumer Service location is the key piece. They probably have the url without the uid and that is where the mismatch is.
If that is too hard to update you can update the xml in the DB manually and remove the uid to match what the IdP has.
i can add some sort of config to adjust how this is handled. Like adding extra/ other valid destinations.
tekstrand
commented
3 years ago Thanks for responding on the road! 1 worked for us. I noticed before saving the provider the site url was still in it's env var format in the XML. Resaved, updated IdP and we're all good. Appreciate the prompt help
Upgraded CMS(3.7.18.2) and saml-sp(2.7.3) and are seeing errors during login.
Errors during validation: Destination in response "https://{domain}/sso/login" does not match the expected destination "https://{domain}/sso/login/{uid}"Recipient in SubjectConfirmationData ("https://{domain}/sso/login") does not match the current destination ("https://{domain}/sso/login/{uid}")
in /opt/app/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php:113