Closed natewallis closed 6 years ago
bump
Migration information is available at:
https://github.com/handnot2/samly/wiki/Migrate-Samly-v0.7.x-to-v0.8.0
This is not merged to main. Would like to get feedback on how this works for you (follow the migration instructions to try it out). Will merge to main and publish to hex.pm once any issues are ironed out.
I have installed an started testing, however when I go to my sign in URI, I get the following response in the browser - "invalid_request". After having a quick look at the samly code, it appears to be failing on valid_referer? call in auth_handler.ex...
I have inspected a few of my variables (conn, referer and request_authority), I haven't had a chance to see when these variables should be set... Here is the output
[info] GET /sso/federation/auth/signin %Plug.Conn{adapter: {Plug.Adapters.Cowboy.Conn, :...}, assigns: %{}, before_send: [#Function<0.96292254/1 in Plug.CSRFProtection.call/2>,
body_params: %{}, cookies: %{"_mannequin_key" => "SFMyNTY.g3QAAAAEbQAAAAtfY3NyZl90b2tlbm0AAAAYMVJUZTU4L052TGhVSThyWXMyaFZFZz09bQAAAAZpZHBfaWRtAAAACmZlZGVyYXRpb25tAAAAC3JlbGF5X3N0YXRlbQAAACA3QnZkZlphTG5hYUZyTW8xcUV4d1RGQVNaT2dmTzAwVm0AAAAKdGFyZ2V0X3VybG0AAAABLw.HmbJ92lF84i-93VItnK4uhIoz88Obv4U_DiR55pXCH0"}, halted: false, host: "localhost", method: "GET", owner: #PID<0.546.0>, params: %{"glob" => ["signin"], "idp_id" => "federation"}, path_info: ["signin"], path_params: %{"glob" => ["signin"], "idp_id" => "federation"}, peer: {{127, 0, 0, 1}, 62421}, port: 4000, private: %{MannequinWeb.Router => {[], %{Samly.Router => []}}, :phoenix_endpoint => MannequinWeb.Endpoint, :phoenix_pipelines => [], :phoenix_router => MannequinWeb.Router, :plug_route => #Function<5.72521736/1 in Samly.AuthRouter.do_match/4>, :plug_session => %{"_csrf_token" => "1RTe58/NvLhUI8rYs2hVEg==", "idp_id" => "federation", "relay_state" => "7BvdfZaLnaaFrMo1qExwTFASZOgfO00V", "target_url" => "/"}, :plug_session_fetch => :done}, query_params: %{}, query_string: "", remote_ip: {127, 0, 0, 1}, req_cookies: %{"_mannequin_key" => "SFMyNTY.g3QAAAAEbQAAAAtfY3NyZl90b2tlbm0AAAAYMVJUZTU4L052TGhVSThyWXMyaFZFZz09bQAAAAZpZHBfaWRtAAAACmZlZGVyYXRpb25tAAAAC3JlbGF5X3N0YXRlbQAAACA3QnZkZlphTG5hYUZyTW8xcUV4d1RGQVNaT2dmTzAwVm0AAAAKdGFyZ2V0X3VybG0AAAABLw.HmbJ92lF84i-93VItnK4uhIoz88Obv4U_DiR55pXCH0"}, req_headers: [{"host", "localhost:4000"}, {"connection", "keep-alive"}, {"user-agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"}, {"upgrade-insecure-requests", "1"}, {"accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8"}, {"accept-encoding", "gzip, deflate, br"}, {"accept-language", "en-US,en;q=0.8"}, {"cookie", "_mannequin_key=SFMyNTY.g3QAAAAEbQAAAAtfY3NyZl90b2tlbm0AAAAYMVJUZTU4L052TGhVSThyWXMyaFZFZz09bQAAAAZpZHBfaWRtAAAACmZlZGVyYXRpb25tAAAAC3JlbGF5X3N0YXRlbQAAACA3QnZkZlphTG5hYUZyTW8xcUV4d1RGQVNaT2dmTzAwVm0AAAAKdGFyZ2V0X3VybG0AAAABLw.HmbJ92lF84i-93VItnK4uhIoz88Obv4U_DiR55pXCH0"}], request_path: "/sso/federation/auth/signin", resp_body: nil, resp_cookies: %{}, resp_headers: [{"cache-control", "max-age=0, private, must-revalidate"}, {"x-request-id", "c900uu3onvpb423hherk3a3of1e95fag"}], scheme: :http, script_name: ["sso", "federation", "auth"], secret_key_base: "d+rlZ7blKgUE5RF9g1TRF/PAeRFjNPIiIlgKYWEGI1WtBCcmRFU5PnfJPzRJtlST", state: :unset, status: nil}
%URI{authority: nil, fragment: nil, host: nil, path: nil, port: nil, query: nil, scheme: nil, userinfo: nil}
localhost:4000 [info] Sent 403 in 13ms
I generated a new certificate and private key for this new config that had localhost as the auth, here is my config in /config.dev.exs - did I need to fill out the entity_id?
config :samly, Samly.Provider,
base_url: "http://localhost:4000/sso", # use your info
service_providers: [
%{
id: "mannequin",
#entity_id: "urn:my-host:my-id",
certfile: "auth/mannequin.crt",
keyfile: "auth/mannequin.pem"
}
],
identity_providers: [
%{
id: "federation",
sp_id: "mannequin",
metadata_file: "auth/idp_metadata.xml", # use correct file name
#pre_session_create_pipeline: SamlyHowtoWeb.Plugs.SamlyPipeline, # optional - your pipeline module here
use_redirect_for_req: false,
sign_requests: true,
sign_metadata: true,
signed_assertion_in_resp: true,
signed_envelopes_in_resp: true
}
]
Are you manually entering this URL in the browser directly? If that is the case the "referer" header is not set and will result in failure. Can you make the sigin-in / sign-out links in some page in your web app and click on that link? The browser will automatically set the referer header and it should work.
Here is what is included in the index.html.eex
file of samly_howto
application:
<%= if @uid do %>
<a href="/sso/<%= @idp_id %>/auth/signout?target_url=<%= @target_url %>"
class="btn btn-sm btn-primary navbar-btn"
role="button">
Sign out from <%= @idp_id %>
</a>
<% else %>
<a href="/sso/<%= @idp_id %>/auth/signin?target_url=<%= @target_url %>"
class="btn btn-sm btn-primary navbar-btn"
role="button">
Sign in with <%= @idp_id %>
</a>
<% end %>
Theidp_id
in your case is federation
.
The entity_id
attribute is optional. If you don't set it, the service provider metadata URL will be used as entity id. Just make sure that it is consistent with how your service provider is registered with the IdP.
Silly me - yes..
Thank you!
Ditto on the "Thank you" - I thought I had in our private thread on elixirforum.com, but it appears I forgot my manners... cheers.. :)
Works well, thanks... will do some more testing and let you know if I hit any snags..
@handnot2 - Is there anyway with the current multi idp setup that I could run my app from a subdomain and use the subdomain to determine the idp to use? I wonder if moving the base_url per SP would allow this flexibility (with minor code changes)... .
I still feel that running my app from a subdomain is a better alternative to white label my application rather than doing it via the URL... e.g
federation.myapp.com is preferred to myapp.com/federation
I don't think I can do it like that and use multi idps with the base_url sitting at the top level in the config.
base_url
change is OKJust need to simplify the config a bit.
Please checkout multi_idp
branch and try this out again. Here is the link to the instructions:
https://github.com/handnot2/samly/wiki/Migrate-Samly-v0.7.x-to-v0.8.0
Feedback appreciated.
With the current code, it's not possible to use more than one identity provider in your application.