Closed richardbourne-ct closed 5 years ago
Looks like the assertion is signed but the message itself is not signed. Can enable message signing in your IdP and try it out?
What error are you getting with: signed_assertion_in_resp: true
and signed_envelopes_in_resp: false
?
I'm working on message signing - will report back.
In the meantime, I tried those settings and received:
access_denied {:invalid_request, "{:error, {:assertion, {:error, :cert_not_accepted}}}"}
That is the root cause. esaml
/samly
not able to work with the Azure federated SSO cert include in the response.
Can you check if openssl
is able to print the contents of this certificate?
Can you use a self-signed certificate? I think that will address this issue.
Yes, openssl
is able to print successfully.
I will check about using self-signed.
I asked about self-signed:
"In SAML the signing/decryption certificates are always self-signed."
If you search for cert_not_accepted
in esaml
, you will find that this error occurs when the cert fingerprint is not trusted. It is possible for this to happen when the certificate in the idp metadata file specified in the config does not match the one coming through the SAML response. Can you check if this mismatch exists? Would you be able to share the idp metadata file? (Do so only if you think it is not an issue for you to share it publicly.)
Ah! Looks like I was using the wrong idp metadata file (we have 3 environments set up). Now that I have the correct one in place, I'm further along!
Now seeing an issue with :bad_audience
being returned from the validate_assertion/3
function in esaml
.
validate_assertion(AssertionXml, Recipient, Audience) ->
case decode_assertion(AssertionXml) of
{error, Reason} ->
{error, Reason};
{ok, Assertion} ->
esaml_util:threaduntil([
fun(A) -> case A of
#esaml_assertion{version = "2.0"} -> A;
_ -> {error, bad_version}
end end,
fun(A) -> case A of
#esaml_assertion{recipient = Recipient} -> A;
_ -> {error, bad_recipient}
end end,
fun(A) -> case A of
#esaml_assertion{conditions = Conds} ->
case proplists:get_value(audience, Conds) of
undefined -> A;
Audience -> A;
_ -> {error, bad_audience}
end;
_ -> A
end end,
fun check_stale/1
], Assertion)
end.
The only reference to conditions
or Audience
in the SAML response is:
<Conditions NotBefore="2019-01-28T11:34:28.244Z" NotOnOrAfter="2019-01-28T12:34:28.244Z">
<AudienceRestriction>
<Audience>
spn:be0cd693-414f-4369-b316-a89d133953ba
</Audience>
</AudienceRestriction>
</Conditions>
Set your service provider entity_id
to that audience value ("spn:be0cd693-414f-4369-b316-a89d133953ba"
) in config. If the entity_id
value is not specified in config, the sp metadata URL is used. If you have multiple IdPs, make sure you are using the correct service provider config to set the entity_id
value. Hopefully this resolves the issue! :-)
Hurray! That did it - thank you for all your help.
I was specifying the entity_id
but was setting it to the same as the SP id
.
I’m currently trying to use Samly with ADFS, everything going well up until the response is verified - where I start seeing a :badmatch error:
access_denied {:invalid_request, "{:error, {{:badmatch, []}, [{:xmerl_dsig, :verify, 2, [file: '/PHX/deps/esaml/src/xmerl_dsig.erl', line: 168]}...
Line 168 in xmerl_dsig.erl is:
[#xmlAttribute{value = SignatureMethodAlgorithm}] = xmerl_xpath:string("ds:Signature/ds:SignedInfo/ds:SignatureMethod/@Algorithm", Element, [{namespace, DsNs}]),
I’ve added some logging in there to confirm that Element exists and appears to contain what is being asked of it.
This error comes with config for the IDP like:
I’ve tried setting the latter two to false individually and together and get different errors.
I can see the SAML response when it comes back and verify that it’s what I’m expecting (via an online SAML decoder).
Versions are:
phoenix: 1.3.4
esaml: 3.6.1
samly: 0.9.3
@handnot2: Is ADFS configured to encrypt the SAML assertion attributes?
ADFS is only set to sign the assertion - there is no option to encrypt.
I tried again just to confirm with
signed_assertions_in_resp: false
and got the same error.Maybe there is something else going on with ADFS?
I did have to enter a couple of the config settings in what seemed to be the wrong place in order to get things working - for example (which might help with the integration if it hasn’t already been taken care of):
entity_id
needed to match its id.base_url
needed to be set tohttp://my_website.com/sso
- this may just be my misunderstanding but I assumed I needed the.../sso
URL in the SP config.Here is an example SAML response (retrieved using the Firefox SAML-Tracer addon) with the details altered:
Thanks in advance.