lightSAML / SpBundle

SAML2 SP Symfony Bundle based on LightSAML
https://www.lightsaml.com/SP-Bundle/
MIT License
66 stars 70 forks source link

No credentials resolved for signature verification #20

Closed jaspoor closed 8 years ago

jaspoor commented 8 years ago

Hi Milos,

First of all, thanks for the big effort you've put in lightSAML. I am trying to migrate from aerialship/lightsaml in Symfony but have trouble getting our current setup to work properly.

The thing is that validating the SAML response signature is not working, because the resolver(s) won't find any credentials matching the issuer (LightSamlSpListener ->receiveSamlResponse). Looking through the code, I notice that only own credentials are build/stored (SP) and it's looking for credentials stored for the issuer (IdP) to validate the signature.

Any idea what I am missing here?

Regards,

Jasper

tmilos commented 8 years ago

In the credential store there should be all ISP credentials from their metadata (certificate/public key) and your own (private key). You could check that with inspecting the credential store with

$buildContainer = $this->get('lightsaml.container.build');
$credentialStore = $buildContainer->getCredentialContainer()->getCredentialStore();

It should be a CompositeCredentialStore, which unfortunately doesn't have a public access to all stored credentials, but atm you could inspect it in debugger or var_dump it. Or you could use getByEntityId($entityId) method to check if it has the credential of the IDP you expect. Anyway it would be a good idea to make some access to those credentials.

That credential store is created/filled by lightsaml.credential.credential_store_factory service which composes it with MetadataCredentialStore which is given the lightsaml.party.idp_entity_descriptor_store - all registered IDP

https://github.com/lightSAML/lightSAML/blob/10de356e33ffd5268a147eb0bcea19c3d151f8bf/src/LightSaml/Store/Credential/Factory/CredentialFactory.php#L82

So, when the Response arrives, the IDP EntityID is read, and searched for trough CompositeCredentialStore which asks the IDP MetadataCredentialStore which queries lightsaml.party.idp_entity_descriptor_store for that EntityID which extracts credential from that IDP metadata.

It might be you have that IDP metadata w/out certificate. In that case you either obtain one with certificate, or you eventually could create a service of the type LightSaml\Credential\CredentialInterface and tag it with lightsaml.credential, so it will be set to the credential store as an extra credential.

Hope this helps.

tmilos commented 8 years ago

@jaspoor I'm closing the issue, if you find any more issues, feel free to reopen this one or create a new one