No message is displayed or logged when SAML fails

[mihow]

When initiating login from the CP login page, if something about the sign-in fails the user is redirected back to the the login page with no message and there is no information available in the Craft logs.

Currently I am able to use OneLogin in our dev environment but not in production and I have no way of troubleshooting the issue.

I am able to replicate this locally if I set the "SAML Consumer URL" to an incorrect URL. The sign-in fails but there is no information provided as to why.

[dsmrt]

Can you tail the logs and see if there's anything in there?

tail -f storage/logs/web.log| grep -A 5 '\[saml-'

[mihow]

Unfortunately I'm not seeing anything in any of these log files

storage/logs/craft.log
storage/logs/web.log
storage/runtime/logs/app.log 
storage/logs/phperrors.log
storage/logs/console.log
storage/logs/queue.log 

[dsmrt]

Couple things.

1. If you can replicate it on local then see what the logs look like on local. Or turn devMode on prod and for testing.
2. On most common errors we throw exceptions so you should see some message.
3. When devMode is on you should be able to see the response come through in the logging. That might be a good place to start looking.
4. Are you getting redirected to OneLogin?

[mihow]

Thanks, I am unable to replicate on local. The login works fine there. I can't turn on devMode in production but I will fire up another remote environment where I can and will test there. And yes, we are getting directed to OneLogin (https://***.onelogin.com/trust/saml2/http-post/sso/314dbcf6-e1dd-449d-8998-ed5dbabca3b2) and then back to the admin login page.

[dsmrt]

Just trying to understand what you are seeing. Here are the steps to recreate:

1. Go to the Craft CMS CP login (ie, /admin/login)
2. Click the login button, Via OneLogin
3. Redirected to OneLogin, login successfully, then returned to the Craft CMS CP login

There's no error and you aren't logged in. You just see the login screen.

Does the "SAML Consumer URL" in OneLogin have "admin" into? like https://example.com/admin/sso/login

[mihow]

Yes, that's exactly what's happening.

The SAML Consumer URL does not contain /admin/. Should it? Currently it looks like this: https://example.com/sso/login

I have a remote environment with devMode turned on and there is still no error reported.

When I change it to https://example.com/admin/sso/login

I get a Bad Request error

[dsmrt]

Ok ... I think I got it! No admin shouldn't be in there.

I was able to replicate this. I think you have multiple service providers installed so the OneLogin URL is sending you back, logging you in, then redirecting you to where you were trying to go before.

Your login page needs to be the same domain on prod (https://example.com/admin/login) as the "consumer url" in OneLogin. This need to match exactly. (https://example.com, https://www.example.com).

Within the plugin, delete the sp provider that matches the URL/domain to the current consumer URL. You'll then see that things are not configured correctly.

[dsmrt]

One thing you can do to debug this is open up your browser network console and view the redirects. You might have to preserve logs.

When debugging, I saw, something like this:

https://sp.localhost/admin/login (clicked button on this page)
https://myidp.com/saml/sso/id (logged in)
https://localhost/sso/login (notice the hostname is different here)
https://sp.localhost/admin/login (the plugin redirects me to where I was trying to go, like /admin/dashboard)

[mihow]

Thanks! I thought I have the hostname and entity ID correct but I will double check today.

Have you seen any examples of someone using the plugin with OneLogin? They use different names for the configuration fields than Okta or other examples I’ve seen.

On Wed, Jan 29, 2020 at 8:08 AM Damien Smrt notifications@github.com wrote:

One thing you can do to debug this is open up your browser network console and view the redirects. You might have to preserve logs.

When debugging, I saw, something like this:

https://sp.localhost/admin/login (clicked button on this page)https://myidp.com/saml/sso/id (logged in)https://localhost/sso/login (notice the hostname is different here)https://sp.localhost/admin/login (the plugin redirects me to where I was trying to go, like /admin/dashboard)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/flipboxfactory/saml-sp/issues/50?email_source=notifications&email_token=AABGTX5PGCKTWCIRBKZPNYTRAGSYXA5CNFSM4KK6IH4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKHYK6I#issuecomment-579831161, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABGTXZMVA4WTPNAFS25ZY3RAGSYXANCNFSM4KK6IH4A .

[dsmrt]

Every SAML provider is different which is frustrating. I use use the metadata because it has everything you need in it and I don't understand why everyone doesn't do that.

Here is a screenshot on how I configured my testing OneLogin account.

[dsmrt]

Closed this for now but let me know if you have any more issues.

[mihow]

Thanks for your help. I am starting to believe our configuration with Craft & OneLogin is okay, however something with the frontend server (in Nginx or Heroku itself) is getting in the way. Everything works locally just fine, even when I use a remote hostname with Ngrok over HTTPs.