Closed TherypromoTrinity closed 2 years ago
@TherypromoTrinity hi! Could you show the whole requests trace (until an infinite redirection loop)?
hi' @a-menshchikov, thanks for your time.
You can see the first blue cross is my url to log me, i'm well redirected to the idp, i have th SAML response (black cross) and i'm redirect to my log connexion (last blue cross)
The samlController.php:
public function loginAction(Request $request)
{
$authErrorKey = Security::AUTHENTICATION_ERROR;
$session = $targetPath = $error = null;
if ($request->hasSession()) {
$session = $request->getSession();
$firewallName = array_slice(explode('.', trim($request->attributes->get('_firewall_context'))), -1)[0];
$targetPath = $session->get('_security.'.$firewallName.'.target_path');
}
[...some verification code...]
$this->samlAuth->login($targetPath);
}
i think i understand the flow, if i have a session, i'm redrected to the $targetpath, which is in the security.yaml (check_path: saml_acs)
if i dump $firewall i see "main". but if i dump the $targetpath i see "null". i think it's normal because if i dump $session i don't have the key "security" (even if I unfold the arrows)
if I give the url in "hard" (not dynamically) i'm redirect to the url i want but not in POST method, i loose the response. // $targetPath = 'http://exemple.local.org/saml/acs';
i hope i give you the most information possible, maybe i don't understand the flow... thanks a lot Thery
@TherypromoTrinity
Could you also show your hslavich_onelogin_saml.yaml
?
@a-menshchikov
i precise that my "real" metadata in the service provider has multi ACS, i can't insert multiple in the yml hslavich_onelogin_saml.yaml
thanks a lot...!
@TherypromoTrinity
As you can see form the trace above, the IdP send a POST request (with SAML attributes) to one of your service providers, but then it redirects you to your application (where this bundle works). And, of course, your application still does not know anything about you (because it did not handle the POST request with your SAML attributes on the /saml/acs
route, which you specified as a check_path
in your security.yaml
).
So, your IdP should send the POST request with SAML attributes to your application, on the `/saml/acs/ route to authenticate the user.
@a-menshchikov ok i'm going to try to change the assertionConsumerService path from http://spxxxxx to http://quizxxxx.org/saml/acs but i don't manage the Idp so maybe not now now...
I understood the flow is : project ->idp->SP with saml reponse and relaystate with saml reponse in a POST path to -> project
where the POST path is sml/acs
@a-menshchikov hi', the idp's manager change the path as you recommanded i always have a redirection to the saml/login path..
i modify the `` hslavich_onelogin_saml.yaml```
and security
thankss
@TherypromoTrinity
Could you debug the Hslavich\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator::authenticate
method during the POST request with SAML attributes?
If it is not reached, try to find out what happens in the Hslavich\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator::supports
method.
hi @a-menshchikov Thanks you for responses.
i tried to debug the first method "authenticate" i had an error :
so i modify the baseUrl option in hslavich_onelogin_saml.yaml
an the code continue..
if i dump your method setSamlAttributes in App\Entity\User i can read attributes.
if i don't dump anything im finally redirected to the home's url
And if i code a home page i'm finally redirect to "/saml/login"..
So infinity loop...
😑😣
@TherypromoTrinity
You are right about the hslavich_onelogin_saml.baseurl
option, it should ends by "/saml" in your case.
Could you describe in more details about the redirect after /saml/acs
?
What happens in Hslavich\OneloginSamlBundle\Security\Http\Authentication\SamlAuthenticationSuccessHandler::determineTargetUrl
?
@a-menshchikov
in the method determineTargetUrl
i have :
but i'm redirected to "/".
if i dump and exit $attibutes
in setSamlAttributes()
i have the user attributes but when i'm redirected to home i loose it..
@TherypromoTrinity
This value is returned from determineTargetUrl
but finaly you are redirected to /
, am I understand you correctly?
Could you show requests trace from the Network tab of a browser (not SAML tracer)?
@a-menshchikov yes you understood well (and those since the beginning of our exchanges)
here the (same) result from the mozilla browser
@a-menshchikov in the security.yaml i uncomment ``{ path: ^/, roles: ROLE_USER }```` now i'm redirected to /saml/login but in an infinity loop...
@TherypromoTrinity
This question may seem strange, but: does your user have the ROLE_USER
role? :thinking:
@a-menshchikov i really loose my mind with this subject...
i changed ROLE_USER
to EMPODA
but with both of roles i'm redirected..
i see in the browser this :
@a-menshchikov
and in determinateUrl()
i'm really sorry i don't understand what's happening...
@TherypromoTrinity
The role name should have a ROLE_
prefix by default.
Could you show your logs (from dev
environment with debug
error level)?
@a-menshchikov Really sorry for not having answered sooner, I had to do a fix on another app.. I am resuming this ongoing project for the moment thanks a lot!
@TherypromoTrinity Hi. Is the issue still actual or can it be closed?
Hi @a-menshchikov , It's not ok because I actually work on a other project. You can also closed this issue.. Thanks a lot..
hi' My project is in symfony v5.4 my simpleSAML service provider is in v1.9
When i try to go to the saml_path (here: http://exemple.org/saml/login), i'm redirected to the Identity provider. it send back the saml response with attributes to the service provider but here i have a infinite loop, i'm redirected auto to http://exemple.org/saml/login
i didn't configure a relaystate...
if i try the connexion from the simpleSAML admin page it's ok, i'm redirected to Idp and i have the saml response with attributes without redirection.
my security.yml
i'm loosing my hair.. thanks for help.. Thery