search

nbgrp / onelogin-saml-bundle

OneLogin SAML Symfony Bundle
BSD 3-Clause "New" or "Revised" License
43 stars 13 forks source link

After logging in via IdP 'authentication failed' #54

Closed nbennett25 closed 2 months ago

nbennett25 commented 2 months ago

I'm trying to get a docker network set up with an SP and IdP - my SP is a Symfony 6 app on localhost:8000, and the IdP is a docker image kenchan0130/simplesamlphp:develop - mapped to local-idp.local:4000, which is effectively a wrapper for SimpleSAMLphp.org codebase configured as an IdP.

I believe I have everything set up properly - the SP's nbgrp_onelogin_saml.yaml is pretty much boilerplate with the IdP's domains as below:

 default:
            # Mandatory SAML settings
            idp:
                entityId: 'http://local-idp.local:4000/simplesaml/shib13/idp/metadata.php'
                singleSignOnService:
                    url: "http://local-idp.local:4000/simplesaml/saml2/idp/SSOService.php?spentityid=http://localhost:8000/saml/metadata"
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                singleLogoutService:
                    url: 'http://local-idp.local:4000/simplesaml/saml2/idp/SingleLogoutService.php'
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                x509cert: 'MIIDb...'
            sp:
                entityId: 'http://localhost:8000/saml/metadata'  #  Default: '<request_scheme_and_host>/saml/metadata'
                assertionConsumerService:
                    url: 'http://localhost:8000/saml/acs'  #  Default: '<request_scheme_and_host>/saml/acs'
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
                singleLogoutService:
                    url: 'http://localhost:8000/saml/logout'  #  Default: '<request_scheme_and_host>/saml/logout'
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                privateKey: 'MIIEv...'
            # Optional SAML settings

The sp.privateKey and idp.x509cert values are directly out of the certificates in the IdP image.

This more or less works as expected - I have the /admin path set up to be SSO log in only in config/security.yaml, and if I go to localhost:8000/admin, I am redirected to the IdP site. I log in with the credentials set in the authsources.php file in the IdP config user the SimpleSaml docs, and am redirected back to the SP with a SAML payload, including the matching x509 cert value.

But when I get back to the SP, I get an 'authentication failed' exception error:

RuntimeException:
The authentication failed.

at vendor/nbgrp/onelogin-saml-bundle/src/Controller/Login.php:45
  at Nbgrp\OneloginSamlBundle\Controller\Login->__invoke()
     (vendor/symfony/http-kernel/HttpKernel.php:181)
  at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
     (vendor/symfony/http-kernel/HttpKernel.php:76)
  at Symfony\Component\HttpKernel\HttpKernel->handle()
     (vendor/symfony/http-kernel/Kernel.php:197)
  at Symfony\Component\HttpKernel\Kernel->handle()
     (vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:35)
  at Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run()
     (vendor/autoload_runtime.php:29)
  at require_once('/var/www/html/vendor/autoload_runtime.php')
     (public/index.php:5)

Thoughts? happy to post more of the config or SAML payload if that's helpful.

Thx!

nbennett25 commented 2 months ago

Can anyone confirm the certificate settings?

I've tried multiple different combinations, and nothing is working. I currently have the SP configured with it's own private and public certs, and the IdP x509 cert settings set to match the value returned in the SAML XML payload by the IdP - does the value in the config.yaml need to be base64 encoded..? Not sure what I'm missing here, and there isn't any more detail in the error than 'authentication failed'

nbennett25 commented 2 months ago

Ok so the issue here wasn't that the user hadn't been authenticated, but that the error being thrown after authentication has a generic 'authentication failed' message:

https://github.com/nbgrp/onelogin-saml-bundle/blob/2.0/src/Security/Http/Authenticator/SamlAuthenticator.php#L167

It would be great to update this messaging to be more indicative of what the error actually is / and or expose the full trace to the catching method in Login.php - even something like 'Authentication failed on user provisioning' would be a huge improvement and save development time.