i can't get the attributes from the Idp

[TherypromoTrinity]

hi' My project is in symfony v5.4 my simpleSAML service provider is in v1.9

When i try to go to the saml_path (here: http://exemple.org/saml/login), i'm redirected to the Identity provider. it send back the saml response with attributes to the service provider but here i have a infinite loop, i'm redirected auto to http://exemple.org/saml/login

i didn't configure a relaystate...

if i try the connexion from the simpleSAML admin page it's ok, i'm redirected to Idp and i have the saml response with attributes without redirection.

my security.yml

security:
    enable_authenticator_manager: true
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    providers:
        saml_provider:
            # Basic provider instantiates a user with default roles
            saml:
                user_class: App\Entity\User
                default_roles: ['ROLE_USER']

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            lazy: true
            provider: saml_provider
            pattern: ^/
            saml:
                username_attribute: uid
                use_attribute_friendly_name: true
                check_path: saml_acs
                login_path: saml_login
            logout:
                path: saml_logout
    access_control:
        - { path: ^/saml/login, roles: PUBLIC_ACCESS }
        - { path: ^/saml/metadata, roles: PUBLIC_ACCESS }
        - { path: ^/, roles: ROLE_USER }

i'm loosing my hair.. thanks for help.. Thery

[a-menshchikov]

@TherypromoTrinity hi! Could you show the whole requests trace (until an infinite redirection loop)?

[TherypromoTrinity]

hi' @a-menshchikov, thanks for your time.

You can see the first blue cross is my url to log me, i'm well redirected to the idp, i have th SAML response (black cross) and i'm redirect to my log connexion (last blue cross)

The samlController.php:

public function loginAction(Request $request)
    {
        $authErrorKey = Security::AUTHENTICATION_ERROR;
        $session = $targetPath = $error = null;

        if ($request->hasSession()) {
            $session = $request->getSession();
            $firewallName = array_slice(explode('.', trim($request->attributes->get('_firewall_context'))), -1)[0];
            $targetPath = $session->get('_security.'.$firewallName.'.target_path');
        }

[...some verification code...]

        $this->samlAuth->login($targetPath);
    }

i think i understand the flow, if i have a session, i'm redrected to the $targetpath, which is in the security.yaml (check_path: saml_acs)

if i dump $firewall i see "main". but if i dump the $targetpath i see "null". i think it's normal because if i dump $session i don't have the key "security" (even if I unfold the arrows)

if I give the url in "hard" (not dynamically) i'm redirect to the url i want but not in POST method, i loose the response. // $targetPath = 'http://exemple.local.org/saml/acs';

i hope i give you the most information possible, maybe i don't understand the flow... thanks a lot Thery

[a-menshchikov]

@TherypromoTrinity Could you also show your hslavich_onelogin_saml.yaml ?

[TherypromoTrinity]

@a-menshchikov

i precise that my "real" metadata in the service provider has multi ACS, i can't insert multiple in the yml hslavich_onelogin_saml.yaml

thanks a lot...!

[a-menshchikov]

@TherypromoTrinity As you can see form the trace above, the IdP send a POST request (with SAML attributes) to one of your service providers, but then it redirects you to your application (where this bundle works). And, of course, your application still does not know anything about you (because it did not handle the POST request with your SAML attributes on the /saml/acs route, which you specified as a check_path in your security.yaml).

So, your IdP should send the POST request with SAML attributes to your application, on the `/saml/acs/ route to authenticate the user.

[TherypromoTrinity]

@a-menshchikov ok i'm going to try to change the assertionConsumerService path from http://spxxxxx to http://quizxxxx.org/saml/acs but i don't manage the Idp so maybe not now now...

I understood the flow is : project ->idp->SP with saml reponse and relaystate with saml reponse in a POST path to -> project

where the POST path is sml/acs

[TherypromoTrinity]

@a-menshchikov hi', the idp's manager change the path as you recommanded i always have a redirection to the saml/login path..

i modify the `` hslavich_onelogin_saml.yaml```

and security

thankss

[a-menshchikov]

@TherypromoTrinity Could you debug the Hslavich\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator::authenticate method during the POST request with SAML attributes? If it is not reached, try to find out what happens in the Hslavich\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator::supports method.

[TherypromoTrinity]

hi @a-menshchikov Thanks you for responses.

i tried to debug the first method "authenticate" i had an error :

so i modify the baseUrl option in hslavich_onelogin_saml.yaml an the code continue..

if i dump your method setSamlAttributes in App\Entity\User i can read attributes.

if i don't dump anything im finally redirected to the home's url

And if i code a home page i'm finally redirect to "/saml/login"..

So infinity loop...

😑😣

[a-menshchikov]

@TherypromoTrinity You are right about the hslavich_onelogin_saml.baseurl option, it should ends by "/saml" in your case.

Could you describe in more details about the redirect after /saml/acs? What happens in Hslavich\OneloginSamlBundle\Security\Http\Authentication\SamlAuthenticationSuccessHandler::determineTargetUrl ?

[TherypromoTrinity]

@a-menshchikov in the method determineTargetUrl i have :

but i'm redirected to "/".

if i dump and exit $attibutes in setSamlAttributes() i have the user attributes but when i'm redirected to home i loose it..

[a-menshchikov]

@TherypromoTrinity This value is returned from determineTargetUrl but finaly you are redirected to /, am I understand you correctly? Could you show requests trace from the Network tab of a browser (not SAML tracer)?

[TherypromoTrinity]

@a-menshchikov yes you understood well (and those since the beginning of our exchanges)

here the (same) result from the mozilla browser

[TherypromoTrinity]

@a-menshchikov in the security.yaml i uncomment ``{ path: ^/, roles: ROLE_USER }```` now i'm redirected to /saml/login but in an infinity loop...

[a-menshchikov]

@TherypromoTrinity This question may seem strange, but: does your user have the ROLE_USER role? :thinking:

[TherypromoTrinity]

@a-menshchikov i really loose my mind with this subject...

i changed ROLE_USER to EMPODA but with both of roles i'm redirected..

i see in the browser this :

[TherypromoTrinity]

@a-menshchikov and in determinateUrl()

i'm really sorry i don't understand what's happening...

[a-menshchikov]

@TherypromoTrinity The role name should have a ROLE_ prefix by default. Could you show your logs (from dev environment with debug error level)?

[TherypromoTrinity]

@a-menshchikov Really sorry for not having answered sooner, I had to do a fix on another app.. I am resuming this ongoing project for the moment thanks a lot!

[a-menshchikov]

@TherypromoTrinity Hi. Is the issue still actual or can it be closed?

[TherypromoTrinity]

Hi @a-menshchikov , It's not ok because I actually work on a other project. You can also closed this issue.. Thanks a lot..