Validation error with ADFS

[dmatthams]

Hi, I've set up and tested V.2 with Azure AD successfully with my own account, but now have passed metadata to the client to set up and I'm hitting an error when attempting to login with a test account they provided. I'm guessing there's something not set up correctly, but hard for me to see what exactly;

2019-09-20 10:49:41 [-][-][9oockua3gbko2q56mcuvdaduh4][error][TypeError] TypeError: Argument 1 passed to flipbox\saml\core\validators\Response::__construct() must be an instance of flipbox\saml\core\records\AbstractProvider, null given, called in /var/www/vhosts/xxx/xxx/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php on line 72 and defined in /var/www/vhosts/xxx/xxx/vendor/flipboxfactory/saml-core/src/validators/Response.php:36

[dsmrt]

Ok I think understand where things are going wrong here. It looks like the your service provider (your craft site) isn't configured on the new environment. 2 things can be happening here: 1) You just need to create one (well, really this either way). Go here: <your-domain>/admin/saml-sp/metadata/my-provider 2) You may have a service provider created but the Entity ID isn't matching, therefore it's not found on the new environment

When it's configured correctly, you should see (My Provider) next to your label in the listing view. See screenshot:

Try creating the service provider for that new environment and see how it goes from there. FYI, Part of the reason I created the labels was to distinguish different environments. So you can label those providers as ADFS Production.

[dmatthams]

Thanks for the quick reply, I have the provider setup in production so will explore the Entity ID issue. Would this happen if the client has manually changed the entity ID their end?

[dsmrt]

If the provider listing (here: /admin/saml-sp/metadata) doesn't show a service provider marked with (My Provider) as shown in the screenshot above, then the entity id isn't matching one of those providers. The entity id is the unique id for the provider and must be consistent with what is being shared. It's a crucial part of the trust relationship within SAML. If the client changed this you probably need to share the metadata/details again with the IdP.

Let me know how all of this goes!

[dmatthams]

So – I added a new identity provider to test, it worked. Then disabled it, and now the client's login is working fine ¯_(ツ)_/¯ Just a gremlin I guess. Thanks for your help!

Also, you have no idea how excited I am about your new identity provider plugin. I have another client that I've been researching some kind of solution to provide SSO across multiple sites and it seems you've just solved it!

[dmatthams]

OK, it turns out that when I disabled (I originally said deleted, I hadn't) the test Identity provider it was still logging in via this azure account, however, if I delete it so I only have clients IdP setup then the problem is still there. It's the same azure account for test IdP as client's IdP, the client has just added me as a user - hence the confusion.

(My Provider) is displaying next to the provider.

[dsmrt]

This sounds like it might be another error but with the IdP missing instead of the SP. As I understand it, you deleted the unused IdP (or the one that shouldn't be used on this environment) and now you are getting a similar error? Can you securely post the exception you are getting now?

[dmatthams]

This is correct, and it's the same error in web.log. However I have just updated to 2.0.3, and when I now click the login button I get an error from Azure which may help diagnose:

Sorry, but we’re having trouble with signing you in.

AADSTS750059: XML attribute 'AssertionConsumerServiceIndex' in the SAML message must be an integer.

[dsmrt]

@dmatthams, I added #33 for the 'AssertionConsumerServiceIndex' error there.

Are you still seeing error?

2019-09-20 10:49:41 [-][-][9oockua3gbko2q56mcuvdaduh4][error][TypeError] TypeError: Argument 1 passed to flipbox\saml\core\validators\Response::__construct() must be an instance of flipbox\saml\core\records\AbstractProvider, null given, called in /var/www/vhosts/xxx/xxx/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php on line 72 and defined in /var/www/vhosts/xxx/xxx/vendor/flipboxfactory/saml-core/src/validators/Response.php:36

[dmatthams]

Yes, here is the full error. This is when the app is selected from the application gallery in Azure.

2019-09-20 17:46:57 [-][-][79vlddo2bhb46ivuq16k0vb6s1][error][TypeError] TypeError: Argument 1 passed to flipbox\saml\core\validators\Response::__construct() must be an instance of flipbox\saml\core\records\AbstractProvider, null given, called in /xxx/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php on line 72 and defined in /xxx/vendor/flipboxfactory/saml-core/src/validators/Response.php:36
Stack trace:
#0 /xxx/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php(72): flipbox\saml\core\validators\Response->__construct(NULL, Object(flipbox\saml\sp\records\ProviderRecord))
#1 [internal function]: flipbox\saml\sp\controllers\LoginController->actionIndex()
#2 /xxx/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#3 /xxx/vendor/yiisoft/yii2/base/Controller.php(157): yii\base\InlineAction->runWithParams(Array)
#4 /xxx/vendor/craftcms/cms/src/web/Controller.php(187): yii\base\Controller->runAction('', Array)
#5 /xxx/vendor/yiisoft/yii2/base/Module.php(528): craft\web\Controller->runAction('', Array)
#6 /xxx/vendor/craftcms/cms/src/web/Application.php(299): yii\base\Module->runAction('saml-sp/login', Array)
#7 /xxx/vendor/yiisoft/yii2/web/Application.php(103): craft\web\Application->runAction('saml-sp/login', Array)
#8 /xxx/vendor/craftcms/cms/src/web/Application.php(284): yii\web\Application->handleRequest(Object(craft\web\Request))
#9 /xxx/vendor/yiisoft/yii2/base/Application.php(386): craft\web\Application->handleRequest(Object(craft\web\Request))
#10 /xxx/web/index.php(21): yii\base\Application->run()
#11 {main}
2019-09-20 17:46:56 [-][-][79vlddo2bhb46ivuq16k0vb6s1][info][application] $_GET = [
    'p' => 'sso/login/'
]

[dsmrt]

Ok ... I think I missed this the first time around.

In your error, the first argument to flipbox\saml\core\validators\Response is NULL which is the IdP, not the SP. So the plugin isn't finding your IdP. Something isn't matching up (proba. You may want to re-sync IdP metadata completely. So pull the metadata from ADFS, then add it to the plugin cp in craft as a new IdP. I'm assuming the EntityID on that side isn't matching up some how.

FYI, I'm working on a patch now to make this a little clearer by throwing an exception.

[dsmrt]

Pushed 2.0.4. Adds a fix for your AssertionConsumerServiceIndex issue and better exception handling for configuration issues.

Give it a try and let me know!

[dmatthams]

Ok great thanks, will get client to check everything and re-send meta next week. Will let you know how I get on 😊

[dmatthams]

This is now fixed, ended up removing all providers and starting from the beginning – it's working beautifully. Thanks so much for your time on this!

[dsmrt]

No problem! thank you!