search

flipboxfactory / saml-sp

SAML Service Provider (SP) Plugin for Craft CMS
https://saml-sp.flipboxfactory.com/
Other
19 stars 5 forks source link

SHA512 Key Fails Validation - Signing issues with OneLogin as IdP #45

Closed markhuot closed 4 years ago

markhuot commented 4 years ago

Hi, I'm integrating with OneLogin and am running in to some hashing difficulties that I can't tell if they are a fault of the OneLogin response or something in this plugin. The easiest trace of the error is here,

InvalidArgumentException: Expected a value identical to "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256". Got: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" in /html/vendor/webmozart/assert/src/Assert.php:1915
Stack trace:
#0 /html/vendor/webmozart/assert/src/Assert.php(834): Webmozart\Assert\Assert::reportInvalidArgument('Expected a valu...')
#1 /html/vendor/simplesamlphp/saml2/src/SAML2/Assertion.php(666): Webmozart\Assert\Assert::same('http://www.w3.o...', 'http://www.w3.o...')
#2 /html/vendor/flipboxfactory/saml-core/src/validators/SignedElement.php(34): SAML2\Assertion->validate(Object(RobRichards\XMLSecLibs\XMLSecurityKey))
#3 /html/vendor/flipboxfactory/saml-core/src/validators/Assertion.php(107): flipbox\saml\core\validators\SignedElement->validate(Object(SAML2\Assertion), Object(SAML2\Assertion\Validation\Result))
#4 /html/vendor/flipboxfactory/saml-core/src/validators/Response.php(94): flipbox\saml\core\validators\Assertion->validate(Object(SAML2\Assertion))
#5 /html/vendor/flipboxfactory/saml-core/src/validators/Response.php(74): flipbox\saml\core\validators\Response->validateAssertions(Object(SAML2\Response), Object(SAML2\Response\Validation\Result))
#6 /html/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php(80): flipbox\saml\core\validators\Response->validate(Object(SAML2\Response))
#7 [internal function]: flipbox\saml\sp\controllers\LoginController->actionIndex()
#8 /html/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#9 /html/vendor/yiisoft/yii2/base/Controller.php(157): yii\base\InlineAction->runWithParams(Array)
#10 /html/vendor/craftcms/cms/src/web/Controller.php(187): yii\base\Controller->runAction('', Array)
#11 /html/vendor/yiisoft/yii2/base/Module.php(528): craft\web\Controller->runAction('', Array)
#12 /html/vendor/craftcms/cms/src/web/Application.php(299): yii\base\Module->runAction('saml-sp/login', Array)
#13 /html/vendor/yiisoft/yii2/web/Application.php(103): craft\web\Application->runAction('saml-sp/login', Array)
#14 /html/vendor/craftcms/cms/src/web/Application.php(284): yii\web\Application->handleRequest(Object(craft\web\Request))
#15 /html/vendor/yiisoft/yii2/base/Application.php(386): craft\web\Application->handleRequest(Object(craft\web\Request))
#16 /html/web/index.php(21): yii\base\Application->run()
#17 {main}

It seems that the response from OneLogin comes back with an a SHA512 key but when saml-core/src/validators/Response calls ->validateAssertions it calls ->validate on the SAML2/Assertion which expects a SHA256.

Is this a misconfiguration I have some where?

markhuot commented 4 years ago

I posted a similar question over to the SAML project and got a helpful response:

https://github.com/simplesamlphp/saml2/issues/188#issuecomment-567482164

Not sure if this should be calling validateSignature instead?

dsmrt commented 4 years ago

I'll take a look.

markhuot commented 4 years ago

Thank you Damien! I'm happy to provide any other detail you may need, just let me know.

dsmrt commented 4 years ago

@markhuot I found where you can configure the key under the SSO tab within OneLogin so that it matches the correct signature algorithm. (see screenshot)

Screen Shot 2019-12-19 at 10 31 59 AM

I can get past the error you are seeing but I'm not getting past the the validation of the signature once those are aligned. I haven't worked with OneLogin before. Not sure what they are doing differently but I must be missing something here.

How about you see if what I point out above works for you and then we can move from there. I assume you'll see the same. Timing right now with the holidays is pretty tight so I'm not sure when I'll be able to dive deeper into this.

OneLogin does have this php lib which might be a good reference to what I might be missing.

markhuot commented 4 years ago

Thanks @dsmrt, I'm seeing the same thing as you. I changed mine to SHA-512 to get past the signature issue (since my x509 cert is SHA-512, I think…) and then I hit the Assertion error. If I change it back to SHA-256 I get the signature error but presumably the assertion would go through.

I'll dig in to the OneLogin PHP lib and see if there's anything interesting they're doing in there.

dsmrt commented 4 years ago

I think I found the issue here. Run a composer update flipboxfactory/saml-core and see if that works for you. I was also able to change the Signiture Algorithm to SHA512 and it worked with that setting as well. Let me know if this works out for you!

markhuot commented 4 years ago

Thanks @dsmrt, I'll check it out today!

markhuot commented 4 years ago

@dsmrt, I got tied up on Friday and didn't get a chance to test this until just now but it's working great! Thank you so much for the fixes to support OneLogin, this is fantastic news!