search

lightSAML / SpBundle

SAML2 SP Symfony Bundle based on LightSAML
https://www.lightsaml.com/SP-Bundle/
MIT License
66 stars 70 forks source link

Undefined Index #13

Closed mykehsd closed 8 years ago

mykehsd commented 8 years ago

I am setting this bundle up in my Symfony 3.0.1 application. I followed the setup document exactly and installed my vendor's IDP configuration (I'm using OKTA). When I goto the login page, I'm redirected to OKTA which is great. When I login there I'm redirected back to my site (/saml/login) and several errors are generated. It then proceeds to redirect from back and forth constantly.

Can you point me in the direction of the problem?

Undefined index: http_request Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: own_entity Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":62,"level":28928,"scream":true}

Undefined index: party_entity Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: endpoint Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: inbound_message Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: outbound_message Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: serialization Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":62,"level":28928,"scream":true}

mykehsd commented 8 years ago

The result is redirect loop:

GET /saml/login 200 OK
GET /saml/discovery 302 Found
POST /saml/login 302 Found

tmilos commented 8 years ago

Which php version do you have?

On both line 100 and line 62 in that class silent error operator is used to fetch an array item. 

$existing = @$this->subContexts[$name];

I never saw this making such errors. Maybe it's something about the configuration. If you don't resolve it, I could patch the code so @ is not used.

tmilos commented 8 years ago

The silent error operator has been removed in lightsaml/lightsaml and released as 1.0.5. Run composer update and try it again.

mykehsd commented 8 years ago

I still get the same redirect and still a few errors with AbstractContext. I'm using PHP 7.0.1

[2016-01-29 04:21:58] app.DEBUG: Signing disabled {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\Action\Profile\Outbound\Message\SignMessageAction","top_context_id":"0000000055fff3b90000000169924268"} [] [2016-01-29 04:21:58] php.DEBUG: Undefined index: http_response {"type":8,"file":"vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php","line":62,"level":28928} [] [2016-01-29 04:21:58] php.DEBUG: Undefined index: http_response {"type":8,"file":"vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php","line":100,"level":28928} [] [2016-01-29 04:21:58] php.DEBUG: Undefined index: serialization {"type":8,"file":"vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php","line":62,"level":28928} [] [2016-01-29 04:21:58] php.DEBUG: Undefined index: serialization {"type":8,"file":"vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php","line":100,"level":28928} [] [2016-01-29 04:21:58] app.INFO: Sending message {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\Action\Profile\Outbound\Message\SendMessageAction","top_context_id":"0000000055fff3b90000000169924268","message":"<?xml version=\"1.0\"?>\n<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_73ada8bfaa0d5a6a2d8a48a6ae08c5cb04f85737bf\" Version=\"2.0\" IssueInstant=\"2016-01-29T04:21:58Z\" Destination=\"https://......okta.com/app/....../exk3zgn1tbHURFeAB0x7/sso/saml\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">http://www.okta.com/exk3zgn1tbHURFeAB0x7/saml:Issuer\n"} [] [2016-01-29 04:21:58] request.INFO: Matched route "_wdt". {"route_parameters":{"_controller":"web_profiler.controller.profiler:toolbarAction","token":"b02c48","_route":"_wdt"},"request_uri":"http://72e5bd41.ngrok.com/_wdt/b02c48"} [] [2016-01-29 04:21:58] security.INFO: Populated the TokenStorage with an anonymous Token. [] [] [2016-01-29 04:21:59] request.INFO: Matched route "lightsaml_sp.login". {"route_parameters":{"_controller":"LightSaml\SpBundle\Controller\DefaultController::loginAction","_route":"lightsaml_sp.login"},"request_uri":"http://.....ngrok.com/saml/login"} [] [2016-01-29 04:21:59] security.INFO: Populated the TokenStorage with an anonymous Token. [] []

tmilos commented 8 years ago

Check in your composer.lock that lightsaml/lightsaml is on version 1.0.5. It's really strange to me that line 100 which in v1.0.5 is if ($existing === $subContext) { can produce the error php.DEBUG: Undefined index: serialization

Also, please paste whole log, that includes sending of authn request (app.INFO: Sending message) and receiving of the response (app.INFO: Received message) which is in github code block with 3 backticks as shown here so message xml is readable and not lost by github xss processing.

mykehsd commented 8 years ago

Interesting its not showing that serialization error anymore - but I was sure I updated. Anyway... here's the log. I don't see any 'Received Message' statement

[2016-01-29 22:00:28] request.INFO: Matched route "lightsaml_sp.login". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::loginAction","_route":"lightsaml_sp.login"},"request_uri":"http://72e5bd41.ngrok.com/saml/login"} []
[2016-01-29 22:00:28] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:28] request.INFO: Matched route "lightsaml_sp.discovery". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::discoveryAction","_route":"lightsaml_sp.discovery"},"request_uri":"http://72e5bd41.ngrok.com/saml/discovery"} []
[2016-01-29 22:00:28] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:28] request.INFO: Matched route "lightsaml_sp.login". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::loginAction","_route":"lightsaml_sp.login"},"request_uri":"http://72e5bd41.ngrok.com/saml/login?idp=http%3A%2F%2Fwww.okta.com%2Fxxxxxxx"} []
[2016-01-29 22:00:28] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:28] app.DEBUG: Endpoint resolved to location "https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml" and binding "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\ResolveEndpointIdpSsoAction","top_context_id":"000000001e698333000000012247b69a","endpointLocation":"https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml","endpointBinding":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"} []
[2016-01-29 22:00:28] app.INFO: Message ID set to "_bfe99f8b540f6f62fe9fe09e53f8a6d8aa91253f24" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageIdAction","top_context_id":"000000001e698333000000012247b69a","message_id":"_bfe99f8b540f6f62fe9fe09e53f8a6d8aa91253f24"} []
[2016-01-29 22:00:28] app.DEBUG: Message Version set to "2.0" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageVersionAction","top_context_id":"000000001e698333000000012247b69a"} []
[2016-01-29 22:00:28] app.INFO: Message IssueInstant set to "2016-01-29T22:00:28Z" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageIssueInstantAction","top_context_id":"000000001e698333000000012247b69a"} []
[2016-01-29 22:00:28] app.DEBUG: Destination set to "https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\DestinationAction","top_context_id":"000000001e698333000000012247b69a"} []
[2016-01-29 22:00:28] app.DEBUG: Issuer set to "http://www.okta.com/xxxxxxx" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\CreateMessageIssuerAction","top_context_id":"000000001e698333000000012247b69a"} []
[2016-01-29 22:00:28] app.DEBUG: Signing disabled {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\SignMessageAction","top_context_id":"000000001e698333000000012247b69a"} []
[2016-01-29 22:00:28] app.INFO: Sending message {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\SendMessageAction","top_context_id":"000000001e698333000000012247b69a","message":"<?xml version=\"1.0\"?>\n<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_bfe99f8b540f6f62fe9fe09e53f8a6d8aa91253f24\" Version=\"2.0\" IssueInstant=\"2016-01-29T22:00:28Z\" Destination=\"https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">http://www.okta.com/xxxxxxx</saml:Issuer></AuthnRequest>\n"} []
[2016-01-29 22:00:29] request.INFO: Matched route "lightsaml_sp.login". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::loginAction","_route":"lightsaml_sp.login"},"request_uri":"http://72e5bd41.ngrok.com/saml/login"} []
[2016-01-29 22:00:29] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:30] request.INFO: Matched route "lightsaml_sp.discovery". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::discoveryAction","_route":"lightsaml_sp.discovery"},"request_uri":"http://72e5bd41.ngrok.com/saml/discovery"} []
[2016-01-29 22:00:30] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:30] request.INFO: Matched route "lightsaml_sp.login". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::loginAction","_route":"lightsaml_sp.login"},"request_uri":"http://72e5bd41.ngrok.com/saml/login?idp=http%3A%2F%2Fwww.okta.com%2Fxxxxxxx"} []
[2016-01-29 22:00:30] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:30] app.DEBUG: Endpoint resolved to location "https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml" and binding "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\ResolveEndpointIdpSsoAction","top_context_id":"000000003d4976b1000000017c1a322f","endpointLocation":"https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml","endpointBinding":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"} []
[2016-01-29 22:00:30] app.INFO: Message ID set to "_cca7b37f44de17b6adfce3d0b33066124941291f0c" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageIdAction","top_context_id":"000000003d4976b1000000017c1a322f","message_id":"_cca7b37f44de17b6adfce3d0b33066124941291f0c"} []
[2016-01-29 22:00:30] app.DEBUG: Message Version set to "2.0" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageVersionAction","top_context_id":"000000003d4976b1000000017c1a322f"} []
[2016-01-29 22:00:30] app.INFO: Message IssueInstant set to "2016-01-29T22:00:30Z" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageIssueInstantAction","top_context_id":"000000003d4976b1000000017c1a322f"} []
[2016-01-29 22:00:30] app.DEBUG: Destination set to "https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\DestinationAction","top_context_id":"000000003d4976b1000000017c1a322f"} []
[2016-01-29 22:00:30] app.DEBUG: Issuer set to "http://www.okta.com/xxxxxxx" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\CreateMessageIssuerAction","top_context_id":"000000003d4976b1000000017c1a322f"} []
[2016-01-29 22:00:30] app.DEBUG: Signing disabled {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\SignMessageAction","top_context_id":"000000003d4976b1000000017c1a322f"} []
[2016-01-29 22:00:30] app.INFO: Sending message {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\SendMessageAction","top_context_id":"000000003d4976b1000000017c1a322f","message":"<?xml version=\"1.0\"?>\n<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_cca7b37f44de17b6adfce3d0b33066124941291f0c\" Version=\"2.0\" IssueInstant=\"2016-01-29T22:00:30Z\" Destination=\"https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">http://www.okta.com/xxxxxxx</saml:Issuer></AuthnRequest>\n"} []
[2016-01-29 22:00:31] request.INFO: Matched route "lightsaml_sp.login". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::loginAction","_route":"lightsaml_sp.login"},"request_uri":"http://72e5bd41.ngrok.com/saml/login"} []
[2016-01-29 22:00:31] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:31] request.INFO: Matched route "lightsaml_sp.discovery". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::discoveryAction","_route":"lightsaml_sp.discovery"},"request_uri":"http://72e5bd41.ngrok.com/saml/discovery"} []
[2016-01-29 22:00:31] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:31] request.INFO: Matched route "lightsaml_sp.login". {"route_parameters":{"_controller":"LightSaml\\SpBundle\\Controller\\DefaultController::loginAction","_route":"lightsaml_sp.login"},"request_uri":"http://72e5bd41.ngrok.com/saml/login?idp=http%3A%2F%2Fwww.okta.com%2Fxxxxxxx"} []
[2016-01-29 22:00:31] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2016-01-29 22:00:31] app.DEBUG: Endpoint resolved to location "https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml" and binding "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\ResolveEndpointIdpSsoAction","top_context_id":"0000000022846f60000000013b4eb662","endpointLocation":"https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml","endpointBinding":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"} []
[2016-01-29 22:00:31] app.INFO: Message ID set to "_cd644ad3906257ea742062414c1c7ca4f5dd39b5a0" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageIdAction","top_context_id":"0000000022846f60000000013b4eb662","message_id":"_cd644ad3906257ea742062414c1c7ca4f5dd39b5a0"} []
[2016-01-29 22:00:31] app.DEBUG: Message Version set to "2.0" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageVersionAction","top_context_id":"0000000022846f60000000013b4eb662"} []
[2016-01-29 22:00:31] app.INFO: Message IssueInstant set to "2016-01-29T22:00:31Z" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\MessageIssueInstantAction","top_context_id":"0000000022846f60000000013b4eb662"} []
[2016-01-29 22:00:31] app.DEBUG: Destination set to "https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\DestinationAction","top_context_id":"0000000022846f60000000013b4eb662"} []
[2016-01-29 22:00:31] app.DEBUG: Issuer set to "http://www.okta.com/xxxxxxx" {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\CreateMessageIssuerAction","top_context_id":"0000000022846f60000000013b4eb662"} []
[2016-01-29 22:00:31] app.DEBUG: Signing disabled {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\SignMessageAction","top_context_id":"0000000022846f60000000013b4eb662"} []
[2016-01-29 22:00:31] app.INFO: Sending message {"profile_id":"sso_sp_send_authn_req","own_role":"sp","action":"LightSaml\\Action\\Profile\\Outbound\\Message\\SendMessageAction","top_context_id":"0000000022846f60000000013b4eb662","message":"<?xml version=\"1.0\"?>\n<AuthnRequest xmlns=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_cd644ad3906257ea742062414c1c7ca4f5dd39b5a0\" Version=\"2.0\" IssueInstant=\"2016-01-29T22:00:31Z\" Destination=\"https://xxxxxxx.okta.com/app/xxxxxxx_1/xxxxxxx/sso/saml\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">http://www.okta.com/xxxxxxx</saml:Issuer></AuthnRequest>\n"} []
mykehsd commented 8 years ago

There was a couple of issues that I had - maybe documentation could specify more details.