Closed jaspoor closed 8 years ago
In the credential store there should be all ISP credentials from their metadata (certificate/public key) and your own (private key). You could check that with inspecting the credential store with
$buildContainer = $this->get('lightsaml.container.build');
$credentialStore = $buildContainer->getCredentialContainer()->getCredentialStore();
It should be a CompositeCredentialStore
, which unfortunately doesn't have a public access to all stored credentials, but atm you could inspect it in debugger or var_dump it. Or you could use getByEntityId($entityId)
method to check if it has the credential of the IDP you expect. Anyway it would be a good idea to make some access to those credentials.
That credential store is created/filled by lightsaml.credential.credential_store_factory
service which composes it with MetadataCredentialStore
which is given the lightsaml.party.idp_entity_descriptor_store
- all registered IDP
So, when the Response arrives, the IDP EntityID is read, and searched for trough CompositeCredentialStore
which asks the IDP MetadataCredentialStore
which queries lightsaml.party.idp_entity_descriptor_store
for that EntityID which extracts credential from that IDP metadata.
It might be you have that IDP metadata w/out certificate. In that case you either obtain one with certificate, or you eventually could create a service of the type LightSaml\Credential\CredentialInterface
and tag it with lightsaml.credential
, so it will be set to the credential store as an extra credential.
Hope this helps.
@jaspoor I'm closing the issue, if you find any more issues, feel free to reopen this one or create a new one
Hi Milos,
First of all, thanks for the big effort you've put in lightSAML. I am trying to migrate from aerialship/lightsaml in Symfony but have trouble getting our current setup to work properly.
The thing is that validating the SAML response signature is not working, because the resolver(s) won't find any credentials matching the issuer (LightSamlSpListener ->receiveSamlResponse). Looking through the code, I notice that only own credentials are build/stored (SP) and it's looking for credentials stored for the issuer (IdP) to validate the signature.
Any idea what I am missing here?
Regards,
Jasper