search

flipboxfactory / saml-sp

SAML Service Provider (SP) Plugin for Craft CMS
https://saml-sp.flipboxfactory.com/
Other
19 stars 5 forks source link

Issue with KeyPair #180

Closed JJefferyDev closed 1 year ago

JJefferyDev commented 2 years ago

We have several issues and questions related to our attempt to setup a SAML single sign on between our Craft 3 website and Azure AD:

Exception: Signature required but not found: Response in D:\inetpub\wwwroot\stores-dev\vendor\flipboxfactory\saml-sp\src\validators\SignedElement.php:51 Stack trace:

0 D:\inetpub\wwwroot\stores-dev\vendor\flipboxfactory\saml-sp\src\validators\Response.php(86): flipbox\saml\sp\validators\SignedElement->validate()

1 D:\inetpub\wwwroot\stores-dev\vendor\flipboxfactory\saml-sp\src\controllers\LoginController.php(113): flipbox\saml\sp\validators\Response->validate()

2 [internal function]: flipbox\saml\sp\controllers\LoginController->actionIndex()

3 D:\inetpub\wwwroot\stores-dev\vendor\yiisoft\yii2\base\InlineAction.php(57): call_user_func_array()

4 D:\inetpub\wwwroot\stores-dev\vendor\yiisoft\yii2\base\Controller.php(178): yii\base\InlineAction->runWithParams()

5 D:\inetpub\wwwroot\stores-dev\vendor\yiisoft\yii2\base\Module.php(552): yii\base\Controller->runAction()

6 D:\inetpub\wwwroot\stores-dev\vendor\craftcms\cms\src\web\Application.php(293): yii\base\Module->runAction()

7 D:\inetpub\wwwroot\stores-dev\vendor\yiisoft\yii2\web\Application.php(103): craft\web\Application->runAction()

8 D:\inetpub\wwwroot\stores-dev\vendor\craftcms\cms\src\web\Application.php(278): yii\web\Application->handleRequest()

9 D:\inetpub\wwwroot\stores-dev\vendor\yiisoft\yii2\base\Application.php(384): craft\web\Application->handleRequest()

10 D:\inetpub\wwwroot\stores-dev\web\index.php(21): yii\base\Application->run()

11 {main}

I've sent an email with more sensitive screenshots to your hello@flipboxdigital.com.

dsmrt commented 2 years ago

@JJefferyDev 👋

I'm a little confused if this is one issue or a handful of issues so I broke things up like you did below.

1)

can't create a key pair with the create key pair button

what issues did you have here? Was there an error? You can use the wildcard cert but it might be more secure to use a self signed cert. That key is stored in the db and that’s not something you want leaked somehow.

See docs here: https://saml-sp.flipboxfactory.com/configure/keychain.html

2)

how come there is no response from the application after a successful login on the Azure AD side?

Not sure I understand what is happening here ... like, what behavior you are seeing. When you login successfully from Azure AD you should be redirected back to the Craft site. Can you explain the process here more if you think there's an issue?

3)

qualified MFA, accessing the enterprise application, but no response back from the server (our website)

MFA will happen on the IdP side/Azure AD and shouldn't have any effect on the Craft plugin. If they fail MFA on Azure AD, they won't be redirected with authorization to log into Craft.

4) If this issue is all circulating around this error "Exception: Signature required but not found: Response", follow the instructions on the FAQ. There is a signature on the Assertion and that will be validated. That should suffice security concerns.

JJefferyDev commented 2 years ago

I've sent much more detailed information to your hello@flipboxfactory.com email with screenshots. My replies below: 1) When I click the "create keypair" button, all I get is an "unknown server error" message in Craft and I can't find the error in the logs. We use a wildcard cert for all of our websites that are run off of Windows IIS. 2) When I log in through Azure I am redirected back to the Craft site, but I immediately get the error page I emailed you. I have posted it again here. 3) It successfully redirects back to Craft. 4) We aren't sure if this issue is specifically for this error, because of our attempt to work around the keypair issue we had earlier. Please let me know if this is a cert issue or something else.

stack-trace-error

dsmrt commented 2 years ago

Can you send the email to damien at flipbox digital ?

JJefferyDev commented 2 years ago

@dsmrt I've forwarded you the emails I sent to the other emails. Mine is jessica dot jeffery at bcogc dot ca if you can't find them. Thanks for your help :)

dsmrt commented 2 years ago

It seems like the key generation error is due to it running on a windows server that may not support openssl. This is just a guess. If you can create a key pair based on my instructions posted in my previous comment, that should work.

The error is due to the default behavior enforcing the strictest security possible. Follow the faq you posted to fix it. Here is the link: https://saml-sp.flipboxfactory.com/faqs.html#signature-required-but-not-found

Once you add the config, you’ll be one step closer!

JJefferyDev commented 2 years ago

@dsmrt Good news, creating the new keypair and setting up the saml-sp config file to ignore the response seemed to have worked, but now I get a 403 error. I assume this 403 error is because there is no corresponding user already on my website that matches the one in my Azure AD. Is there a way through your plugin to download users so I don't have to do that part manually? Please see stack trace screenshot below:

stack-trace-error-403

JJefferyDev commented 2 years ago

@dsmrt Another update: I've been able to successfully login after properly setting up the mapping with a current user on my website and a user in Azure AD, so that's great. My concerns now are:

  1. Does your plugin pull users from Azure AD or just check against it?
  2. I still have the saml-sp.php config set up to 'requireResponseToBeSigned' => false, and I would like to make this true, how do I got about getting that working?

Thanks a million!!!!

dsmrt commented 2 years ago

  1. SAML protocol sends the user data over at the time of login in the response assertions. The plugin will create craft users by default. Note that azure ad by default will send the user over with a uuid as the username (in the NameID) so if you need this to work differently, search our docs on nameid.

  2. If you want the Response to be signed in Azure Ad (as well as the Assertions) see the docs here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options That is something you set on the Azure AD side.

JJefferyDev commented 2 years ago

@dsmrt fantastic, thank you so much!!!!

dsmrt commented 1 year ago

Hi @JJefferyDev , Is everything working here? Can we close this out?

JJefferyDev commented 1 year ago

Hi Damien, I can get it to work but I can't get one of the security configs to work. I will troubleshoot with my cybersec team and get back to you. But for now you can close this ticket, thank you.

dsmrt commented 1 year ago

@JJefferyDev OK Let me know if there's something else I can help with.