search

lightSAML / SpBundle

SAML2 SP Symfony Bundle based on LightSAML
https://www.lightsaml.com/SP-Bundle/
MIT License
66 stars 70 forks source link

Invalid inbound message destination #58

Open guiyomh opened 6 years ago

guiyomh commented 6 years ago

when i'm redirect to /saml/login_check

i have a error : 

Invalid inbound message destination "http://xxxxx/saml/login_check"
ChMat commented 6 years ago

Hi @guiyomh

I have the same issue here. My app is behind a proxy. The proxy handles the certificate, so the route for login_check is not the right one.

In short, the login_check route from the outside is https://publicdomain.com/saml/login_check. And once it passes the proxy, it becomes http://insidedomain.local/saml/login_check.

I think the way should be to tell SpBundle to trust http://insidedomain.local/saml/login_check.

Is your issue the same as mine? Did you find a solution?

tmilos commented 6 years ago

It means that in your own EntityDescriptor there are no AssertionConsumerService endpoints with such Location. If you're behind a proxy, your metadata must state the public url, and IDP must return Response with public url destination, so AbstractDestinationValidatorAction will be able to find that url from the Reponse in your own EntityDescriptor.

Provide your own metadata xml, sent AuthnRequest, and received Response, and we can compare the values and see what is wrong.

ChMat commented 6 years ago

Thanks @tmilos for the information. It helped me solve the issue.

I implemented a custom service extending LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder.

I replaced the $acsUrl __construct() parameter to an array.

So when I declare the service, the corresponding argument will be an array containing the login_check url from behind the proxy (http and .local url in my case) and from the rest of the world, like this:

["http://mysite.local/saml/login_check", "https://mysite.com/saml/login_check"]

And I changed the getSpSsoDescriptor() function as follows:

    /**
     * @return SpSsoDescriptor|null
     */
    protected function getSpSsoDescriptor()
    {
        if (null === $this->acsUrl) {
            return null;
        }

        $spSso = new SpSsoDescriptor();

        foreach ($this->acsBindings as $index => $biding) {
            if (is_array($this->acsUrl)) {
                foreach ($this->acsUrl as $acsUrl) {
                    $acs = new AssertionConsumerService();
                    $acs->setIndex($index)->setLocation($acsUrl)->setBinding($biding);
                    $spSso->addAssertionConsumerService($acs);
                }
            }
            else
            {
                $acs = new AssertionConsumerService();
                $acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($biding);
                $spSso->addAssertionConsumerService($acs);
            }
        }

        $this->addKeyDescriptors($spSso);

        return $spSso;
    }

This worked for me, I hope this will help.

jhonnynho commented 5 years ago

Hi @ChMat I'm having the same trouble as you had, I'm wondering to know if you changed that function on SimpleEntityDescriptorBuilder file on the vendor directory? If not, how did you do? Thanks!

ChMat commented 5 years ago

Hi @jhonnynho

As I wrote, I created a class in my application that extends LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder.

This class contains the getSpSsoDescriptor() function that overrides the parent function with my custom behaviour.

It looks like this (you'll probably want to adapt the namespace):

// Service/AppEntityDescriptor.php
<?php

namespace AppBundle\Service;

use LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder;
use LightSaml\Model\Metadata\AssertionConsumerService;
use LightSaml\Model\Metadata\KeyDescriptor;
use LightSaml\Model\Metadata\SpSsoDescriptor;
use LightSaml\SamlConstants;
use LightSaml\Credential\X509Certificate;

/**
 * Class AppEntityDescriptor
 *
 * @package AppBundle\Service
 */
class AppEntityDescriptor extends SimpleEntityDescriptorBuilder
{
    /** @var array|string */
    protected $acsUrl;

    /**
     * @param string          $entityId
     * @param array|string    $acsUrl
     * @param string          $ssoUrl
     * @param string          $ownCertificate
     * @param string[]        $acsBindings
     * @param string[]        $ssoBindings
     * @param string[]|null   $use
     */
    public function __construct(
        $entityId,
        $acsUrl,
        $ssoUrl,
        $ownCertificate,
        array $acsBindings = array(SamlConstants::BINDING_SAML2_HTTP_POST),
        array $ssoBindings = array(SamlConstants::BINDING_SAML2_HTTP_POST, SamlConstants::BINDING_SAML2_HTTP_REDIRECT),
        $use = array(KeyDescriptor::USE_ENCRYPTION, KeyDescriptor::USE_SIGNING)
    ) {
        $certificate = $ownCertificate;

        if (!$ownCertificate instanceof X509Certificate) {
            $certificate = new X509Certificate();
            $certificate->loadFromFile($ownCertificate);
        }

        parent::__construct($entityId, $acsUrl, $ssoUrl, $certificate, $acsBindings, $use);
    }

    /**
     * @return SpSsoDescriptor|null
     */
    protected function getSpSsoDescriptor()
    {
        if (null === $this->acsUrl) {
            return null;
        }

        $spSso = new SpSsoDescriptor();

        foreach ($this->acsBindings as $index => $binding) {
            // On ajoute toutes les url autorisées pour le service
            if (is_array($this->acsUrl)) {
                foreach ($this->acsUrl as $acsUrl) {
                    $acs = new AssertionConsumerService();
                    $acs->setIndex($index)->setLocation($acsUrl)->setBinding($binding);
                    $spSso->addAssertionConsumerService($acs);
                }
            }
            else
            {
                $acs = new AssertionConsumerService();
                $acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($binding);
                $spSso->addAssertionConsumerService($acs);
            }
        }

        $this->addKeyDescriptors($spSso);

        return $spSso;
    }

}

And in my services.yml:

    app_entity_descriptor:
        class: AppBundle\Service\AppEntityDescriptor
        arguments:
            - "%entity_id%"
            - ["http://local.domain/saml/login_check", "https://public.domain/saml/login_check"]
            - "https://sso.server/saml2/idp/SSOService.php"
            - "%kernel.root_dir%/config/cert/saml.crt"

Finally, I add the service to LightSaml configuration in app/config/config.yml

light_saml_symfony_bridge:
    own:
        entity_id: "https://your.entity.id" # required
        entity_descriptor_provider:
            id: app_entity_descriptor

I hope this helps.

jhonnynho commented 5 years ago

Thank you @ChMat , I'm going to test it, but I have a doubt, did you edit something else? I mean on the security.yaml or in the ligh_saml_symfony_bridge.yaml. I think this it won't run automatically.

I don't now if you add something lie this on the security.yaml

check_path: app_entity_descriptor

tmilos commented 5 years ago 
light_saml_symfony_bridge:
    own:
        entity_id: https://your.entity.id # required
        entity_descriptor_provider:
            id: app_entity_descriptor

As here https://www.lightsaml.com/Symfony-Bridge/Configuration/

ChMat commented 5 years ago

Thanks for pointing that @jhonnynho ! Like @tmilos wrote right above, you have to configure it in your config.yml.

I have updated my comment above so the reply is complete and correct.

jhonnynho commented 5 years ago

Ey @ChMat and @tmilos I did this steps but now I'm having this Unknown InResponseTo '_77ce4c02e5bedb405c4ca19289f80a8a2967db504f' My SSO system is on SimpleSAMLPHP. I don't know what can I do. I have Symfony 4, and this is my configuration:

light_saml_symfony_bridge:
    own:
        entity_id: https://gateway.com/saml/
        entity_descriptor_provider:
            id: app_entity_descriptor
        credentials:
            -
                certificate: "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.crt"
                key:         "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.key"
                password:    ~
    party:
        idp:
            files:
                - "%kernel.root_dir%/../src/Idp/idp.xml"
#                - "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/openidp.feide.no.xml"
    store:
        id_state: id_store

security.yaml

        main:
            anonymous: ~
            light_saml_sp:
                provider: db_provider       # user provider name configured in step 9
                user_creator: user_creator  # name of the user creator service created in step 10
                login_path: /saml/login
                check_path: /saml/login_check
                default_target_path: /
                require_previous_session: true
            logout:
                path: /logout

services.yaml

    app_entity_descriptor:
        class: App\Services\AppEntityDescriptor
        arguments:
            - "%entity_id%"
            - ["%secure_login_check%", "%unsecure_login_check%"]
            - "%saml_sso_service%"
            - "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.crt"
ChMat commented 5 years ago

Hi @jhonnynho

Usually, you get this kind of response either:

Note that the entity_id must match exactly the one that is registered in your SimpleSAMLphp idp.

It may be the entity_id because the light_saml_symfony_bridge.own.entity_id is defined by a string locally while the entity_id in your services.yaml comes from a parameter that we do not see in your comment.

jhonnynho commented 5 years ago

Hi @ChMat

Services.yaml

entity_id: '%env(ENTITY_ID)%'
saml_sso_service: '%env(SAML_SSO_SERVICE)%'
secure_login_check: '%env(SECURE_LOGIN_CHECK)%'
unsecure_login_check: '%env(UNSECURE_LOGIN_CHECK)

.env

ENTITY_ID=https://gateway.com/saml/
UNSECURE_LOGIN_CHECK=http://gateway/saml/login_check
SECURE_LOGIN_CHECK=https://gateway/saml/login_check
SAML_SSO_SERVICE=https://account.com/simplesaml/saml2/idp/SSOService.php

There are my params, and that error happens after doing the login on SimpleSamlPHP On SimplesamlPHP I have the same entity_id

ChMat commented 5 years ago

Check your light_saml_symfony_bridge config. You have an entity_id that is different from that of your .env: https://sso-gateway/saml/

Both should be identical.

jhonnynho commented 5 years ago

I have exactly the same entity_id on my config and on SimpleSaml

JavierBmrg commented 5 years ago

Hi guys, I've got the same problem, The Saml is behind an haproxy, and I recieve error Unknown InResponseTo ... , when I try to login, I don't know if the saml needs something else, because the ssl end-to-end isn't available with haproxy in front of my saml service.

jonhleno commented 4 years ago

Thanks @tmilos for the information. It helped me solve the issue.

I implemented a custom service extending LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder.

I replaced the $acsUrl __construct() parameter to an array.

So when I declare the service, the corresponding argument will be an array containing the login_check url from behind the proxy (http and .local url in my case) and from the rest of the world, like this:

["http://mysite.local/saml/login_check", "https://mysite.com/saml/login_check"]

And I changed the getSpSsoDescriptor() function as follows:

    /**
     * @return SpSsoDescriptor|null
     */
    protected function getSpSsoDescriptor()
    {
        if (null === $this->acsUrl) {
            return null;
        }

        $spSso = new SpSsoDescriptor();

        foreach ($this->acsBindings as $index => $biding) {
            if (is_array($this->acsUrl)) {
                foreach ($this->acsUrl as $acsUrl) {
                    $acs = new AssertionConsumerService();
                    $acs->setIndex($index)->setLocation($acsUrl)->setBinding($biding);
                    $spSso->addAssertionConsumerService($acs);
                }
            }
            else
            {
                $acs = new AssertionConsumerService();
                $acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($biding);
                $spSso->addAssertionConsumerService($acs);
            }
        }

        $this->addKeyDescriptors($spSso);

        return $spSso;
    }

This worked for me, I hope this will help.

Thanks @ChMat It works like a charm!

bastianpsycho1 commented 1 year ago

hi guys, theres a way to do similar escenario but for de endpoint "default_target_path", actually is calling my unsecured endpoint but i need that be redirected to the secured endpoint. I already did the same for the login_check and is working succesfully but i need also for the default_target_path wheres my codebehind do some validations for login user.

image