search

handnot2 / samly

Elixir Plug library to enable SAML 2.0 SP SSO in Phoenix/Plug applications.
MIT License
126 stars 93 forks source link

access_denied {:invalid_request, "{:error, {:invalid_response, \"%ErlangError{original: :data_error}\"}}"} #22

Closed papakay closed 6 years ago

papakay commented 6 years ago

Please why i'm getting this error. This happens while trying to process the SAMLReponse.

The SAMLEncoding, SAMLResponse and the RelayState were sent in the response.

Thanks.

handnot2 commented 6 years ago

Looks like Samly fails to decode the SAML response.

  1. Did you use the samly_howto application to make sure that the config settings needed for Samly to function properly are set correct? Was this error discovered during that process?

  2. Use the SAML Tracer browser plugin to check that the SAML requests and responses look OK.

Any mismatch in the Samly config regarding communication with the SAML service could result in errors.

It would be better to include additional information about which SAML service you are trying to work with and your Samly config in the issue reports.

papakay commented 6 years ago

@handnot2 Thanks so much for your response.

Below is what my SAML request (from SAML Tracer)

<?xml version="1.0"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://enterprise.local:4000/sso/sp/consume/entidp"
    Destination="http://example.com/login" ID="id1531887326020795000146340"
    IssueInstant="2018-07-18T04:15:26Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#id1531887326020795000146340">
                <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>SzwCCrD60W5EzsJ+CCJD+L7hjB5Jw39WwajiLqYaLrU=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>beMg59R8ljvJ+0iT/GLU3QOPIF26qHJ6/szb22JzHUtF4coA8P2daR4ipxe7NhrAj6sZ12M3ps2nc4u1SQKx4ac9CVHQbpHDY9wMNvFdbiZavaX8AJ23fArNkLCnntPD9exAzUO+U7/ib/TGIyMZt7DYN34iWI0HXQ63RBKX6MI=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>CERTIFICATE_VALUE_HERE</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml:Issuer>http://enterprise.local:4000/sso/sp/consume/entidp</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/></samlp:AuthnRequest>

and below is the response returned

<?xml version="1.0"?>
<samlp:Response Destination="http://enterprise.local:4000/sso/sp/consume/entidp"
    ID="_cb2c1c2f87d0b3f2f3f3cb93387e613cf631ce561a" InResponseTo="id1531887326020795000146340"
    IssueInstant="2018-07-18T04:15:27Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://example.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#_cb2c1c2f87d0b3f2f3f3cb93387e613cf631ce561a">
                <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>xWPO2yBkxskGXHxVlFq+7I60J3I53D7dYGUbchJP0sw=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>iY7LTY+JCZdWFh8/q6+agdxJ2Y6Q0azywDWJszjsUp/LYaAKjnVnCQXQfMAvzrUOVmZHEiHEW8jRMZMSluBZYfvsXRvbz7gEx2ti3+B+6wTNIKWiZXwNRetdZ0mhUV4Qu5x9FnTO8n1un2k4MPBT/XblFPhMcZyRH+sQrFibcuE=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>CERTIFICATE_VALUE_HERE</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
        <samlp:StatusMessage>urn:oasis:names:tc:SAML:2.0:status:Success</samlp:StatusMessage>
    </samlp:Status>
    <saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
            xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
            <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
                    <xenc:CipherData>
                        <xenc:CipherValue>EywFkqbFL3W85ZE8aAGxU5xmV+OXZnPgVgct9nzYzU71DngKoieK/EWz6cAWLR+mcAuixk9V8gBlhYG3NQ+Jlcl6fl9IxwAcpvaDj8rQ+7Qr5rU0x0IF+2GXrzvOH0C8C/HaxFbyJr8VJCNhdMOXuVmUcxnkYTnLSR6fRWR8VeU=</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </dsig:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>n7aCR/yEmcKVDnPnxZhhvnfm5g0ciObynGAyyrZbN0ZKpL59tR4bG2CU+Qq0fk4b5zFsbSP6z/2oqOc0KhgtgMqSwR3Ex8KozPFR9INHE/mGXkcLA0NLz7yqsE8k4ka0Fbt390/yqNZ3M8s+mPbqhI31QA4VdFxhDXrfM+HYv3eNOPM+8RWKPQTTYzljb2PK+xUPLpkmMhg1zxHrSlEBeT6bLHzc+o921R/gpqR7aAHcjCNlP8wWWULSitG883ntvvyaYqBPvxbHKopeFHy7XOQFhsne9BMVCrOiersdlasH2VjtEbpnQ96RFhF4vZmnzbaDzGgITA/oScSjDc3nFXbm2+IE3+T0B+g5BJ3JKxVSD16n0yqHjtAbY1/Ybtx5XJwvfKvMLx7io865JpxyEwwDhDy0f41QPHq+W1CvVBSKQ9j0nfqeoK+p9m38e8ercFaRupgrmcghkrSBZ7AYFSIeSOJ++BQxsOKwxGVYDve9r77AvN9JxIGRl9IZPGNE9QATxzv8U4QhBF0MOIzy2/cLV/mKqOGj8xry0z3BVFd9AKmoGtLA1yaSdWCzxY0dEzsJtTi1M+CGaT6+Gjcb3gWQdsh9n1nhYVLxtVjE9qSXVHPwokVWS4jx78nzXZqA8F0tQ7aKxV2rANM655fUMqtWNg7jUy4hjjy0ahxllvAYj6m5tQjCHNb/WCLDXWNYkPF1DRwZ0XFdUqqL+FDuhPNfTBf+g0Jty60RUPSxZNFKm6HhGtEEEPE/g3K6PgmLXqcsvGBz52ZPNBRuH8Wn83dBjk7DSX5pqNJ28t22aE0bjOkkmmQeDZKyNeV5K+wysNJoa5wFcDqUF2fwLcJAEuXAVUivxKWiSSMY29RqEt/i1VWenYSiX7AcwiQ3SXtWMWSEOguirLwkDR2Y4vKySzF3EpLvDPbWZqNE85qmNQr5hwI8UuzRFwWum1FYZUf7GVtMtsKKZXjcPtUGFEQhdm2xtbC0rlvcJH26mrr6INSjSXeP8KBWgNIwfZIray1d0M0048dobNsyRrN8XYhYJz6lv0fO0wH/uf0x0BHEWyFsQrj6D/Bdzyz1rrYvu5Td5FPmAwDnNScmtS+okkqc2fya+Y8vcj7krgn5id/Gsk9tRIYD5X4hB2vp3yklGgPFdf+YrSNi87+ZxOqObh6t/FvumKMgpkuVivXQqhVi/dKnQnxDDfRSkNpk92OJa2C6bKiV85XWLCBDYbcGS8Bc0I8Kj00tUIn2AB6064caeaybgWvwj4ohoCB00w5R8wvIht64AD3oALJ9EUi6IShovCUrsU5yEqxz33BjbQp1A3LSOAzDRZiFyBTjTEld+/JG/NGmlDQ8o1/9icW8dqV4g/2Lp9AJ9La+Pd5y8OcRVbtxsF5RkESQKQTTqDxrqJaDQpEsqIem/UuJQTV7OCzyrJVgAh3rCTrmwM197dFxjhpwkxTcI7fIIlEJaI5T7UYVMx6oU3vkYHP4RqxttFCwKlAzK6DZwlrWT216o3KsaCGQ/jl9Sbzovf796yfHw+6oj7wkClqq4TvO3s2AmG6JvjVwygEE907FqxdifVMUim6Oqh+IRG0G2G2F5v8OIiMlrZ8gDDn1c0GkuzjOnjmV42r9ZS28dRG3utgND2i2ggceZ+hwNv3B2JTlRDSW1AXJOJlZmYfiiDsU0//VvRdZ8tyfqkbPwK8eMZgELcP+zYLtfbdfJoM07Cj8Cb+f9XiPgpXwq3BTVS78lNR5U9pJbLuTuCBgJLaUow8fURS9ik3karwo2ATY6XG4CBRK4uhHPF4A/23+mp8phShCvIqSAVZ7Csy5T/7bwbChSrVTyctqH/kh1aEX2jzqL6ybBJ2vhiy8ejZ8LTHIIYVpiSxhqkykrL6CoR00Lw7DA9XbsEs2R/dJlMsC3c15Ba3j15NSLrEWVRDBfWQ46Q3MbHrrlTNj+8cfEFWT84/jejtbNVnf75Q1Q8D6H1Izi8Asb1K+lkv6EBG9rCYAmcCh33qniuT9GywpiXxpmMcEAg+QpMK51d96EiaReGePI0k8IaI0mefQ89w5OqaCFQIkPso41g7zez+AP/HPs9gTtje/V+o892ZznzS2NQS88GdOB3S3csHW5vaGn6Q6GOz566bcBwtUkcOZkEFd+HWb05OY9u3iUMMfBRePEn9p+X4vH2+50lmoYtK9c19VTizVMu5/5D+Uy/GQYEGpRk7fBBF6T9ftlj1Z83RjTeOYmQREcdK37cakosPgGJfZS+QwSf0oLuXDyx0taQWydT1148pZUwWzQSvRx2HlGv2BWY9iasvDkie1+ClGs+R0eoelJDg32AFKUq53eMKX7F0z971QRD/F410NiJveKvAmZ7xlsb7ZZm05JmbYjtOubygi6icXQZp2IetugE6fY3GEVfB/F1iaNGM7Misazzn/xHsuttHXwmrnevsgoV2Ls4PEuNRXcj9I5bz9YTUHNbpU5kw1Zp9aQ8D6FO0rYAkMkYChSHV7EThMekRfvGkKnWJyRxPAJgQBYVhup5TTdNqQOJ6Rx0lCj2cwZvIj/keHz64kUTERsPZx2r7kp+/3sK/EYfEC6qRSJN0JVcbhR30JXElb+p6oxEBft7/IaBdcRr9sW0jdYD4yxrHXDMdGu8QGXY0OqeWbltIsGdlbtxh/z6ebJQQ2glg6KSzwtzV/RG8ERI5wNkJunsJZAdfeUnhSycs+Plo76f3p0purMR2l77PU2EzE5o2IF79OcRDDSNTNr6zd1ne+yD9ocEYfIUCQ4CIfK/WznqJ6R7UnmfqfOZTow8fUE9QNfBvuxh7ABrjb7rVjwihsnsVAp03k4DEXYo6PSFi1uLrBUx6HAJTQC1k5wxf15lmplEdob6VHm9MrPuUtlYEi/78+UuAy0bf2f80yx70qm2dAJi63Vno6dHf2z3LvPtGdzV/70omfAwKlF2g57jTp7B9zEJP4z+VZaPzstCxrsPRcEDTkZqS7vLcYK+7UfczY2VFFVQCaaCcm44D8gagltj3zfonmvf1KX69ZfqI7BaLh6NSfgrJ7WwARcUIWnGyQ6hLNBy3Lc66PtkO6pWSW4vQtUp5GNstbKKV5k+CNSSeZLOUd0JAWHztixgRo1HM6RtU2bcmfvdwYd/xuDd5YdMVWQ3s1wn/NKX5Vwm68Snm56L7urR6rF4PWoTaxK2iQB0g6kuh0moBtuHuQHA3s0021qcPCJOqhQOuEiQtXD4kUpH3e+023ye7EywZTgk7fssknf87EKhfxUWKc2XrsaFkrG+Vhjfl/2lbXm4SUl2WpSdIDSJXv6nFHffb+k/e/MHm9smetD6d/0L11YvVWQSNSnn4FkTTON+/Xb9sa7HrY6PzrZqD/0I/1GEZ8elE2GdHnHaYKHY7tt1y85shFV+bmzKHDTU5sa82+sI1BIfda/N3/tCMcYiswzzZUPbSB0owaWZZfV76n1ul4zkSmprYfYZ6pN9V/5VtUKxvEAQN5bZmKNeoYJUIj+fvpPzQ7IMJiRuZKbEmnUwBjkWbyBMR9EaZMffnkByBA+5NOSfMW9PooKXTVznLywSheguOuS3x4XSrCnoHh7lRn4seof/taIDLpUiquEEerhFBLqT8ybgfMvPSPIA+RSrnp/LhfhZvwFYwpP+VHMGSYVJP1PnDwaiaE3BkSTFwClZCl2upxIeFtlvtogB0RN4OxvVX9lM/AeBUyaahIGQrKqSx15FnxO+cr1OoWQGa1Irt6QhkN3MyygSZR9+4ieruaANYbCsg23JeWqF6j9X+zsXyseFfkt4MWVuac8aV5NSPqk5MP7uRK5GREmtq7Qud7OpIboKjj82e8Eu2On2nfLNxVtN1XgCOG8VABp1IqqtJLegDClec4qX2GNE5G74tL5pnc1JpKb08jhaNTpEjhjz1UcffLnhhlLoP+Rli6IsXYqzEAlcIK7INbUCWU88rO40InM4mRiUSm7t5EtmKrAFZ9IfBNREWaw7rjLrFBIJ7oHS5z5hs3cCe+722l12ahay3zvBJ0CnjY2SdO4Df7SrNgD+As5gRmCBEgnZnEdkDCnZgVX4oL0QXdrtztP6NhcELgv7L59itw+dT5TLSHxURTgBr+nfcKaTrvPKvx8I74HfFesILcVSWDt+LhRnua5ri6qPgfpSOkMU0WrHxPvOCkjHKZk3/r5/rpGmfE3gFAhRF4O8ZPg5Y6PnJ6lejmRNv40LgqPZLKrwnoVmzv+736OCbqUZSEIKKy72ovowTXK55Z+k1Y4nx8jKMTvVC/0Q+iqg+HJsVhw30kuSOBsHE5VbjvcZAF4jcILqFlsho2Po3YVFJ3gwlMBaDmqO9IiLYQYOrfcYVJPTNsckiV0OERJHo4mSl0gsXD8weIGfUtch9Q3GhIlZuGAtuwfSGCDOy5o6DBmUBvs+OHc4bliEnWhyfwtp/cSanHB/OHawwr49MWj7wFGoJjhIFwUC8f7SJNhIu1HCY4jo7srvA5jWAX9kQTpmHZWBsA7znTif1Rf2cYndohRDDOMPRYYJtne2k2/d1ubamx3vm6n0qVWDchMspUtHDB98O9Joa1/c/AV5N6JjCClkLU/fctyorEoQyae51sjrAVtGXp97Sy1Dw9W1qObd+nQQcBBznyW8aFg6zlARmhpnS+EjnXGoQBIQfa7cpexH0A7o1wbZdSAi5O6s6lwd5ndm9dNmZ6Z4xVUilSc+thCEnpByphCG8ej+ZYLIRn98D/btZWmwt2wOnBUhvuq0hiu9xjk2uzmRcKayDy0uRvq2BnDDcCZy4TpjNJqSByWR+oqoZo0MJoYexrWSVziGmlqrLeMinTiYI6r2VfEEuucGX/M2RXFXbYPR1fKC4d6MnnnEL9L7oHBXUp63nufzxTVG9eHuzPyJYve8RNoD3/jcF3pusLB0VdIHBz9s7sbhihpGjffXVc4aK6YSgbJEdmtISxF6LAf5VBM+Lc++YdsA0hGrGOXDI=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAssertion>
</samlp:Response>

Please what do you think could be wrong with this?

papakay commented 6 years ago

Please find below my config

config :samly, Samly.Provider,
  idp_id_from: :path_segment,
  service_providers: [
    %{
      id: "entsp",
      entity_id: "http://enterprise.local:4000/sso/sp/consume/entidp",
      certfile: "priv/keys/samly.crt",
      keyfile: "priv/keys/samly.pem",
    }
  ],
  identity_providers: [
    %{
      id: "entidp",
      sp_id: "entsp",
      metadata_file: "priv/saml/metadata.xml",
      nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
      base_url: "http://enterprise.local:4000/sso",
      pre_session_create_pipeline: Enterprise.Modules.Plugs.Samly,
      use_redirect_for_req: true,
    }
  ]
handnot2 commented 6 years ago

Are you using SAML assertion attribute encryption? If so, it is not supported in esaml and Samly. Check your SAML service configuration and turn the assertion attribute encryption off and try it out.

(There is a bug report for this in esaml repo.)

Update this issue if turning off assertion attribute encryption resolves the problem.

papakay commented 6 years ago

Thank you so much. I will do that and revert.

papakay commented 6 years ago

Yes it now works. Thanks so much.