search

handnot2 / samly

Elixir Plug library to enable SAML 2.0 SP SSO in Phoenix/Plug applications.
MIT License
125 stars 90 forks source link

"invalid_request unknown IdP" in production #18

Closed mxgrn closed 6 years ago

mxgrn commented 6 years ago

Thanks for Samly! I would like to report a couple of issues, here's one.

I got Samly working in dev with Okta, but in prod it keeps giving me the "invalid_request unknown IdP" error even before reaching out to Okta.

Here's the relevant pieces.

My config:

config :samly, Samly.Provider,
  idp_id_from: :path_segment,
  service_providers: [
    %{
      id: "payments-admin",
      certfile: "priv/keys/samly.crt",
      keyfile: "priv/keys/samly.pem",
    }
  ],
  identity_providers: [
    %{
      id: "okta-payments-admin",
      sp_id: "payments-admin",
      base_url: "https://payments-admin.ourdomain.com/sso",
      metadata_file: "config/saml/payments_admin_metadata.xml",
      pre_session_create_pipeline: PaymentsWeb.Plugs.SamlyPipeline,
      use_redirect_for_req: true,
    }
  ]

The sign in URL looks like this:

https://payments-admin.ourdomain.com/sso/auth/signin/okta-payments-admin

Router:

  scope "/sso", host: "payments-admin." do
    forward "/", Samly.Router
  end

Any ideas?

handnot2 commented 6 years ago

Do you find any errors in the log? Samly uses Logger.error for error messages. You mentioned that it works in dev and not in production. Can you check your cert and keyfile paths on your production deployment? Check the path for the meta_data file as well. If you use a deployment tool (such as distillery) the dev and production path for these files may have to be different.

mxgrn commented 6 years ago

the dev and production path for these files may have to be different

That was exactly the issue. Using Distillery, so, needed to change the prod.exs paths to the following (on example of the certs):

      certfile: "lib/my_app-0.0.1/priv/keys/samly.crt",
      keyfile: "lib/my_app-0.0.1/priv/keys/samly.pem",