search

lightSAML / SpBundle

SAML2 SP Symfony Bundle based on LightSAML
https://www.lightsaml.com/SP-Bundle/
MIT License
66 stars 70 forks source link

samltest.id - Assertions must be signed #83

Open AntoineLemaire opened 4 years ago

AntoineLemaire commented 4 years ago

I'm trying to configure https://samltest.id/ to test my app

I so I configured the symfony-bridge :

light_saml_symfony_bridge:
    own:
        entity_id: "http://my_domain.loc"
        entity_descriptor_provider:
            id: my_entity_descriptor
        credentials:
            -
                certificate: '%saml.certificate%'
                key:         '%saml.key%'
                password:    ~
    party:
        idp:
            files: 
                - '%kernel.root_dir%/../src/App/Resources/metadata/samltest_metadata.xml'
    store:
        id_state: id_store

The samltest_metadata.xml has been download from https://samltest.id/saml/idp

For certificate & key, I tried to generate some with openSSL: openssl req -new -x509 -days 365 -nodes -sha256 -out saml.crt -keyout saml.pem

But I don't get what metadata I should upload to https://samltest.id/upload.php to be able to test it.

I tried that :

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://my_domain.loc">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>{{ ..MY_CERTIFICATE.. }}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>{{ ..MY_CERTIFICATE.. }}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <AssertionConsumerService index="0" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://my_domain.loc/saml/login_check"/>
  </SPSSODescriptor>
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>{{ ..MY_CERTIFICATE.. }}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>{{ ..MY_CERTIFICATE.. }}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://my_domain.loc"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://my_domain.loc"/>
  </IDPSSODescriptor>
</EntityDescriptor>

I'm well redirected to samltest.id for login, but when I come back to my application, I got a error Assertions must be signed - LightSamlContextException

Does someone knows what I did wrong? Thanks for helping

theNailz commented 4 years ago

FYI: I did get the flow working with https://capriza.github.io/samling/samling.html, but not with https://samltest.id/ or https://stubidp.sustainsys.com/