Closed codename-niels closed 2 years ago
Can you tail the error logs while running this action to see what the error is?
On Mac/linux you can run something like this:
tail -f storage/logs/web.log | grep -A 10 '\[error\]'
Error from logs:
2021-11-30 09:44:14 [10.244.0.13][-][vppmibuovu2664om46m6udod27][error][Exception] Exception: Missing SAMLRequest or SAMLResponse parameter. in /var/www/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:112
Stack trace:
#0 /var/www/vendor/flipboxfactory/saml-core/src/services/bindings/Factory.php(40): SAML2\HTTPRedirect->receive()
#1 /var/www/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php(77): flipbox\saml\core\services\bindings\Factory::receive()
#2 [internal function]: flipbox\saml\sp\controllers\LoginController->actionIndex()
#3 /var/www/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array()
#4 /var/www/vendor/yiisoft/yii2/base/Controller.php(181): yii\base\InlineAction->runWithParams()
#5 /var/www/vendor/yiisoft/yii2/base/Module.php(534): yii\base\Controller->runAction()
#6 /var/www/vendor/craftcms/cms/src/web/Application.php(287): yii\base\Module->runAction()
#7 /var/www/vendor/yiisoft/yii2/web/Application.php(104): craft\web\Application->runAction()
#8 /var/www/vendor/craftcms/cms/src/web/Application.php(272): yii\web\Application->handleRequest()
#9 /var/www/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest()
#10 /var/www/public/index.php(21): yii\base\Application->run()
#11 {main}
I just tested this and I see no issue on my side. It looks like you have a configuration issue with your setup since Okta isn't sending the SAMLResponse which is absolutely necessary.
Here are the first three steps of my Okta setup:
step 1)
step 2)
step 3)
The important part here is the sign on url.
Does step three look much different?
Do you have some proxying going on that could be removing POST data?
Thank you for a fast reply.
Our setup is exactly as on images.
Do you have some proxying going on that could be removing POST data?
Actually yes, we have varnish as a proxy that might be in the way. We will double check what is going on there, as we already have a rules in place that should whitelist, or better to say passthrough post requests for saml.
Also, an odd thing is that if we go directly to url like ourwebiste.com/admin we are promoted with login via saml button, or if we are logged in we are properly redirected to admin panel - this is how we are using it for some time now. So its only affected when you click in okta app list on craft app icon.
Yes. I do find that kind of odd. Login that is initiated from the SP (Craft) works similarly to IdP (Okta) initiated.
The tracer you posted didn't show too much useful information but you should see a POST or GET variable named SAMLResponse
that has a base 64 string.
Let me know if you are still seeing issues here. Closing for now.
When pressing the button to navigate to your app via the OKTA dashboard, it returnes a internal server error. The regular flow when pressing the Via OKTA button when logging in works just fine. Except the users of my app navigate from the OKTA EMEA dashboard to the Craft control panel.
I hope this will be enough info. If not, please feel free to ask for more.
How to reproduce
The error
SAML tracer logs
Click to expand