Closed papakay closed 6 years ago
Looks like Samly
fails to decode the SAML response.
Did you use the samly_howto
application to make sure that the config settings needed for Samly
to function properly are set correct? Was this error discovered during that process?
Use the SAML Tracer browser plugin to check that the SAML requests and responses look OK.
Any mismatch in the Samly
config regarding communication with the SAML service could result in errors.
It would be better to include additional information about which SAML service you are trying to work with and your Samly
config in the issue reports.
@handnot2 Thanks so much for your response.
Below is what my SAML request (from SAML Tracer)
<?xml version="1.0"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://enterprise.local:4000/sso/sp/consume/entidp"
Destination="http://example.com/login" ID="id1531887326020795000146340"
IssueInstant="2018-07-18T04:15:26Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id1531887326020795000146340">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>SzwCCrD60W5EzsJ+CCJD+L7hjB5Jw39WwajiLqYaLrU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>beMg59R8ljvJ+0iT/GLU3QOPIF26qHJ6/szb22JzHUtF4coA8P2daR4ipxe7NhrAj6sZ12M3ps2nc4u1SQKx4ac9CVHQbpHDY9wMNvFdbiZavaX8AJ23fArNkLCnntPD9exAzUO+U7/ib/TGIyMZt7DYN34iWI0HXQ63RBKX6MI=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERTIFICATE_VALUE_HERE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Issuer>http://enterprise.local:4000/sso/sp/consume/entidp</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>
and below is the response returned
<?xml version="1.0"?>
<samlp:Response Destination="http://enterprise.local:4000/sso/sp/consume/entidp"
ID="_cb2c1c2f87d0b3f2f3f3cb93387e613cf631ce561a" InResponseTo="id1531887326020795000146340"
IssueInstant="2018-07-18T04:15:27Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://example.com</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_cb2c1c2f87d0b3f2f3f3cb93387e613cf631ce561a">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>xWPO2yBkxskGXHxVlFq+7I60J3I53D7dYGUbchJP0sw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>iY7LTY+JCZdWFh8/q6+agdxJ2Y6Q0azywDWJszjsUp/LYaAKjnVnCQXQfMAvzrUOVmZHEiHEW8jRMZMSluBZYfvsXRvbz7gEx2ti3+B+6wTNIKWiZXwNRetdZ0mhUV4Qu5x9FnTO8n1un2k4MPBT/XblFPhMcZyRH+sQrFibcuE=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>CERTIFICATE_VALUE_HERE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
<samlp:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</samlp:StatusMessage>
</samlp:Status>
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xenc:CipherData>
<xenc:CipherValue>EywFkqbFL3W85ZE8aAGxU5xmV+OXZnPgVgct9nzYzU71DngKoieK/EWz6cAWLR+mcAuixk9V8gBlhYG3NQ+Jlcl6fl9IxwAcpvaDj8rQ+7Qr5rU0x0IF+2GXrzvOH0C8C/HaxFbyJr8VJCNhdMOXuVmUcxnkYTnLSR6fRWR8VeU=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>n7aCR/yEmcKVDnPnxZhhvnfm5g0ciObynGAyyrZbN0ZKpL59tR4bG2CU+Qq0fk4b5zFsbSP6z/2oqOc0KhgtgMqSwR3Ex8KozPFR9INHE/mGXkcLA0NLz7yqsE8k4ka0Fbt390/yqNZ3M8s+mPbqhI31QA4VdFxhDXrfM+HYv3eNOPM+8RWKPQTTYzljb2PK+xUPLpkmMhg1zxHrSlEBeT6bLHzc+o921R/gpqR7aAHcjCNlP8wWWULSitG883ntvvyaYqBPvxbHKopeFHy7XOQFhsne9BMVCrOiersdlasH2VjtEbpnQ96RFhF4vZmnzbaDzGgITA/oScSjDc3nFXbm2+IE3+T0B+g5BJ3JKxVSD16n0yqHjtAbY1/Ybtx5XJwvfKvMLx7io865JpxyEwwDhDy0f41QPHq+W1CvVBSKQ9j0nfqeoK+p9m38e8ercFaRupgrmcghkrSBZ7AYFSIeSOJ++BQxsOKwxGVYDve9r77AvN9JxIGRl9IZPGNE9QATxzv8U4QhBF0MOIzy2/cLV/mKqOGj8xry0z3BVFd9AKmoGtLA1yaSdWCzxY0dEzsJtTi1M+CGaT6+Gjcb3gWQdsh9n1nhYVLxtVjE9qSXVHPwokVWS4jx78nzXZqA8F0tQ7aKxV2rANM655fUMqtWNg7jUy4hjjy0ahxllvAYj6m5tQjCHNb/WCLDXWNYkPF1DRwZ0XFdUqqL+FDuhPNfTBf+g0Jty60RUPSxZNFKm6HhGtEEEPE/g3K6PgmLXqcsvGBz52ZPNBRuH8Wn83dBjk7DSX5pqNJ28t22aE0bjOkkmmQeDZKyNeV5K+wysNJoa5wFcDqUF2fwLcJAEuXAVUivxKWiSSMY29RqEt/i1VWenYSiX7AcwiQ3SXtWMWSEOguirLwkDR2Y4vKySzF3EpLvDPbWZqNE85qmNQr5hwI8UuzRFwWum1FYZUf7GVtMtsKKZXjcPtUGFEQhdm2xtbC0rlvcJH26mrr6INSjSXeP8KBWgNIwfZIray1d0M0048dobNsyRrN8XYhYJz6lv0fO0wH/uf0x0BHEWyFsQrj6D/Bdzyz1rrYvu5Td5FPmAwDnNScmtS+okkqc2fya+Y8vcj7krgn5id/Gsk9tRIYD5X4hB2vp3yklGgPFdf+YrSNi87+ZxOqObh6t/FvumKMgpkuVivXQqhVi/dKnQnxDDfRSkNpk92OJa2C6bKiV85XWLCBDYbcGS8Bc0I8Kj00tUIn2AB6064caeaybgWvwj4ohoCB00w5R8wvIht64AD3oALJ9EUi6IShovCUrsU5yEqxz33BjbQp1A3LSOAzDRZiFyBTjTEld+/JG/NGmlDQ8o1/9icW8dqV4g/2Lp9AJ9La+Pd5y8OcRVbtxsF5RkESQKQTTqDxrqJaDQpEsqIem/UuJQTV7OCzyrJVgAh3rCTrmwM197dFxjhpwkxTcI7fIIlEJaI5T7UYVMx6oU3vkYHP4RqxttFCwKlAzK6DZwlrWT216o3KsaCGQ/jl9Sbzovf796yfHw+6oj7wkClqq4TvO3s2AmG6JvjVwygEE907FqxdifVMUim6Oqh+IRG0G2G2F5v8OIiMlrZ8gDDn1c0GkuzjOnjmV42r9ZS28dRG3utgND2i2ggceZ+hwNv3B2JTlRDSW1AXJOJlZmYfiiDsU0//VvRdZ8tyfqkbPwK8eMZgELcP+zYLtfbdfJoM07Cj8Cb+f9XiPgpXwq3BTVS78lNR5U9pJbLuTuCBgJLaUow8fURS9ik3karwo2ATY6XG4CBRK4uhHPF4A/23+mp8phShCvIqSAVZ7Csy5T/7bwbChSrVTyctqH/kh1aEX2jzqL6ybBJ2vhiy8ejZ8LTHIIYVpiSxhqkykrL6CoR00Lw7DA9XbsEs2R/dJlMsC3c15Ba3j15NSLrEWVRDBfWQ46Q3MbHrrlTNj+8cfEFWT84/jejtbNVnf75Q1Q8D6H1Izi8Asb1K+lkv6EBG9rCYAmcCh33qniuT9GywpiXxpmMcEAg+QpMK51d96EiaReGePI0k8IaI0mefQ89w5OqaCFQIkPso41g7zez+AP/HPs9gTtje/V+o892ZznzS2NQS88GdOB3S3csHW5vaGn6Q6GOz566bcBwtUkcOZkEFd+HWb05OY9u3iUMMfBRePEn9p+X4vH2+50lmoYtK9c19VTizVMu5/5D+Uy/GQYEGpRk7fBBF6T9ftlj1Z83RjTeOYmQREcdK37cakosPgGJfZS+QwSf0oLuXDyx0taQWydT1148pZUwWzQSvRx2HlGv2BWY9iasvDkie1+ClGs+R0eoelJDg32AFKUq53eMKX7F0z971QRD/F410NiJveKvAmZ7xlsb7ZZm05JmbYjtOubygi6icXQZp2IetugE6fY3GEVfB/F1iaNGM7Misazzn/xHsuttHXwmrnevsgoV2Ls4PEuNRXcj9I5bz9YTUHNbpU5kw1Zp9aQ8D6FO0rYAkMkYChSHV7EThMekRfvGkKnWJyRxPAJgQBYVhup5TTdNqQOJ6Rx0lCj2cwZvIj/keHz64kUTERsPZx2r7kp+/3sK/EYfEC6qRSJN0JVcbhR30JXElb+p6oxEBft7/IaBdcRr9sW0jdYD4yxrHXDMdGu8QGXY0OqeWbltIsGdlbtxh/z6ebJQQ2glg6KSzwtzV/RG8ERI5wNkJunsJZAdfeUnhSycs+Plo76f3p0purMR2l77PU2EzE5o2IF79OcRDDSNTNr6zd1ne+yD9ocEYfIUCQ4CIfK/WznqJ6R7UnmfqfOZTow8fUE9QNfBvuxh7ABrjb7rVjwihsnsVAp03k4DEXYo6PSFi1uLrBUx6HAJTQC1k5wxf15lmplEdob6VHm9MrPuUtlYEi/78+UuAy0bf2f80yx70qm2dAJi63Vno6dHf2z3LvPtGdzV/70omfAwKlF2g57jTp7B9zEJP4z+VZaPzstCxrsPRcEDTkZqS7vLcYK+7UfczY2VFFVQCaaCcm44D8gagltj3zfonmvf1KX69ZfqI7BaLh6NSfgrJ7WwARcUIWnGyQ6hLNBy3Lc66PtkO6pWSW4vQtUp5GNstbKKV5k+CNSSeZLOUd0JAWHztixgRo1HM6RtU2bcmfvdwYd/xuDd5YdMVWQ3s1wn/NKX5Vwm68Snm56L7urR6rF4PWoTaxK2iQB0g6kuh0moBtuHuQHA3s0021qcPCJOqhQOuEiQtXD4kUpH3e+023ye7EywZTgk7fssknf87EKhfxUWKc2XrsaFkrG+Vhjfl/2lbXm4SUl2WpSdIDSJXv6nFHffb+k/e/MHm9smetD6d/0L11YvVWQSNSnn4FkTTON+/Xb9sa7HrY6PzrZqD/0I/1GEZ8elE2GdHnHaYKHY7tt1y85shFV+bmzKHDTU5sa82+sI1BIfda/N3/tCMcYiswzzZUPbSB0owaWZZfV76n1ul4zkSmprYfYZ6pN9V/5VtUKxvEAQN5bZmKNeoYJUIj+fvpPzQ7IMJiRuZKbEmnUwBjkWbyBMR9EaZMffnkByBA+5NOSfMW9PooKXTVznLywSheguOuS3x4XSrCnoHh7lRn4seof/taIDLpUiquEEerhFBLqT8ybgfMvPSPIA+RSrnp/LhfhZvwFYwpP+VHMGSYVJP1PnDwaiaE3BkSTFwClZCl2upxIeFtlvtogB0RN4OxvVX9lM/AeBUyaahIGQrKqSx15FnxO+cr1OoWQGa1Irt6QhkN3MyygSZR9+4ieruaANYbCsg23JeWqF6j9X+zsXyseFfkt4MWVuac8aV5NSPqk5MP7uRK5GREmtq7Qud7OpIboKjj82e8Eu2On2nfLNxVtN1XgCOG8VABp1IqqtJLegDClec4qX2GNE5G74tL5pnc1JpKb08jhaNTpEjhjz1UcffLnhhlLoP+Rli6IsXYqzEAlcIK7INbUCWU88rO40InM4mRiUSm7t5EtmKrAFZ9IfBNREWaw7rjLrFBIJ7oHS5z5hs3cCe+722l12ahay3zvBJ0CnjY2SdO4Df7SrNgD+As5gRmCBEgnZnEdkDCnZgVX4oL0QXdrtztP6NhcELgv7L59itw+dT5TLSHxURTgBr+nfcKaTrvPKvx8I74HfFesILcVSWDt+LhRnua5ri6qPgfpSOkMU0WrHxPvOCkjHKZk3/r5/rpGmfE3gFAhRF4O8ZPg5Y6PnJ6lejmRNv40LgqPZLKrwnoVmzv+736OCbqUZSEIKKy72ovowTXK55Z+k1Y4nx8jKMTvVC/0Q+iqg+HJsVhw30kuSOBsHE5VbjvcZAF4jcILqFlsho2Po3YVFJ3gwlMBaDmqO9IiLYQYOrfcYVJPTNsckiV0OERJHo4mSl0gsXD8weIGfUtch9Q3GhIlZuGAtuwfSGCDOy5o6DBmUBvs+OHc4bliEnWhyfwtp/cSanHB/OHawwr49MWj7wFGoJjhIFwUC8f7SJNhIu1HCY4jo7srvA5jWAX9kQTpmHZWBsA7znTif1Rf2cYndohRDDOMPRYYJtne2k2/d1ubamx3vm6n0qVWDchMspUtHDB98O9Joa1/c/AV5N6JjCClkLU/fctyorEoQyae51sjrAVtGXp97Sy1Dw9W1qObd+nQQcBBznyW8aFg6zlARmhpnS+EjnXGoQBIQfa7cpexH0A7o1wbZdSAi5O6s6lwd5ndm9dNmZ6Z4xVUilSc+thCEnpByphCG8ej+ZYLIRn98D/btZWmwt2wOnBUhvuq0hiu9xjk2uzmRcKayDy0uRvq2BnDDcCZy4TpjNJqSByWR+oqoZo0MJoYexrWSVziGmlqrLeMinTiYI6r2VfEEuucGX/M2RXFXbYPR1fKC4d6MnnnEL9L7oHBXUp63nufzxTVG9eHuzPyJYve8RNoD3/jcF3pusLB0VdIHBz9s7sbhihpGjffXVc4aK6YSgbJEdmtISxF6LAf5VBM+Lc++YdsA0hGrGOXDI=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
</samlp:Response>
Please what do you think could be wrong with this?
Please find below my config
config :samly, Samly.Provider,
idp_id_from: :path_segment,
service_providers: [
%{
id: "entsp",
entity_id: "http://enterprise.local:4000/sso/sp/consume/entidp",
certfile: "priv/keys/samly.crt",
keyfile: "priv/keys/samly.pem",
}
],
identity_providers: [
%{
id: "entidp",
sp_id: "entsp",
metadata_file: "priv/saml/metadata.xml",
nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
base_url: "http://enterprise.local:4000/sso",
pre_session_create_pipeline: Enterprise.Modules.Plugs.Samly,
use_redirect_for_req: true,
}
]
Are you using SAML assertion attribute encryption? If so, it is not supported in esaml
and Samly
. Check your SAML service configuration and turn the assertion attribute encryption off and try it out.
(There is a bug report for this in esaml
repo.)
Update this issue if turning off assertion attribute encryption resolves the problem.
Thank you so much. I will do that and revert.
Yes it now works. Thanks so much.
Please why i'm getting this error. This happens while trying to process the SAMLReponse.
The SAMLEncoding, SAMLResponse and the RelayState were sent in the response.
Thanks.