What is supposed to happen after the POST request initiated by IdP to /saml/acs?

[vesnacustic]

Hello!

I'm using version 1.8.2 of this bundle and I have a problem with authenticating a user in an existing application via IdP. Existing application has an admin view which is protected with a /login route and my idea was to add another route /files for which the authentication will be provided by the IdP.

Everything seems to be working, up until the POST request to /saml/acs. At first (based on the readme config instructions) I had no access_control defined for the /saml/acs route, which lead to error described here https://github.com/hslavich/OneloginSamlBundle/issues/20. After reading the discussion on the given issue, I added the following line to access_control:

        - { path: ^/saml/acs, roles: ROLE_USER }

Was I correct in adding this? What happens now is that user is being redirected from /saml/acs to the existing /login route. What is usually supposed to happen after POST to /saml/acs is sent? At what point is the user factory hit?

Thank you!

[a-menshchikov]

@vesnacustic hello! Could you show the whole security.yml ?

[vesnacustic]

Sure @a-menshchikov , here it is:

security:
    providers:
        ezpublish:
            id: ezpublish.security.user_provider
        saml_provider:
            saml:
                user_class: 'AppBundle\Entity\User'
                default_roles: ['ROLE_USER']

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        ezpublish_forgot_password:
            pattern: /user/(forgot-password|reset-password)
            security: false

        app:
            pattern: ^/files
            anonymous: true
            saml:
                username_attribute: uid
                use_attribute_friendly_name: true
                check_path: saml_acs
                login_path: saml_login
            logout:
                path: saml_logout

        ezpublish_front:
            pattern: ^/
            anonymous: ~
            ezpublish_rest_session: ~
            form_login:
                require_previous_session: false
                csrf_token_generator: security.csrf.token_manager
            logout_on_user_change: true
            logout: ~

        main:
            anonymous: ~
            logout_on_user_change: true

    access_control:
        - { path: ^/saml/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/saml/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/files, roles: ROLE_USER }
        - { path: ^/saml/acs, roles: ROLE_USER }
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }

I tried debugging my code after the POST request to /saml/acs, but can't catch a breakpoint anywhere, not even in the Auth.php method processResponse: https://github.com/onelogin/php-saml/blob/f9e44f9a3220c4f28fab70086cdb5d35df18c887/src/Saml2/Auth.php#L217.

What could happen before this that prevents this code from being executed?

[a-menshchikov]

With your settings /saml/acs request (as well as any other /saml/* request) doesn't handle by SamlBundle, because you use it only for ^/files requests (app firewall).

To solve this issue, you can change app firewall pattern to something like ^/(files|saml).

[vesnacustic]

@a-menshchikov Ohhh yes! Totally missed that part, thank you for noticing this!