Drupal 8 Support

[dolceficante]

Are there current plans to port this module for Drupal 8?

[pitbulk]

There is no plan right now, I can put in the queue of pending task, but cant provide a date.

[safetypins]

I'm going to be working on a major Drupal 8 conversion in the next year, and we'll want to include this module. So I'll be working on a Drupal 8 version of this module when that happens. I'm also not sure of a specific date.

[pitbulk]

Nice, let me know if you need some help related to SAML and let me know the progress.

[pitbulk]

We should review this: https://www.drupal.org/node/2836229

[safetypins]

Do you have any suggestions for testing the module in a local dev environment? Specifically, I'm wondering if there's a way to setup a test SAML Service on my laptop to send post SAML objects to my local dev web server where I'm working on the code.

[safetypins]

Just looked at the SAML Service Provider module, and that looks very promising.

[pitbulk]

You should sign for a Onelogin's developer account and configure a SAML test Connector, connecting it with the Drupal SP module.

[dolceficante]

Using a tool like https://ngrok.com/ will definitely help with your localhost development. It will allow you to inspect the requests back and forth from the SAML service and great for debugging a localhost (by giving you a public address that the service can call and route to your local) Good luck!

[AngelAlvarado]

Maybe it's over-engineering it but Simplesamlphp let's you create a local IdP or SP in a trice (in case ngrok does not work for you). If you decide to go with it, check out this tutorial.

[safetypins]

So, I've worked through some of the errors I found working with the SAML SP module on d.o. Now I'm getting some errors thrown by the php-saml library: sp_certs_not_found_and_required, contact_not_enought_data, organization_not_enought_data.

It turns out the security settings had been turned on (must have been enabled during install), but for some reason the author has written the settings form to always require a certificate and key file locations. Under what circumstances should the certificate and key file locations be required? Which security settings being enabled would require the certificate and key files? All, some, or is there a specific minimum settings that require settings? From looking at the php-saml library, it looks like any one of the security settings being enabled means that the library needs certificates.

As a follow up question, can I create an X.509 certificate and key on my test server that can be validated by onelogin? I've created rsa keys before, but I've never created a self-signed certificate. If it's possible, can you point me to a walkthrough?

[pitbulk]

SP public certificate/private key are required if the SP will use signature or encryption in the message that send. Since is not mandatory to sign/encrypt at the SP side, those valued should be optional.

In order to generate self-signed certs you can use this online tool: https://www.samltool.com/self_signed_certs.php

[safetypins]

Okay, So I've moved on to processing the SAML Response. But in attempting to replicate the process of the acs_consume() function from the D7 module, I've run into a problem right with how the OneLogin_Saml2_Response class is operating on the response. The saml:NameId property is being reported as empty ($auth->getNameId() returns nothing). However, when I inspect the SAML response manually I see that there is content there.

Can you think of a reason why the OneLogin_Saml2_Response class wouldn't be able to extract the NameId property value?

[pitbulk]

Can you provide the encoded SAMLResponse?

[safetypins]

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJSZTc0MDYxMjIxODg2YzJhZTNlN2E2ZDI1YmM0ZDFhZDUzNjc1YWRmNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTctMDItMjdUMjE6NTI6MTNaIiBEZXN0aW5hdGlvbj0ie3JlY2lwaWVudH0iPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbC9tZXRhZGF0YS82MjgzODk8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIFZlcnNpb249IjIuMCIgSUQ9InBmeGRiZTAxNWQ4LWM5ZTctYTA0Mi1lZjQwLTE2NTI0MGZlYWIxNCIgSXNzdWVJbnN0YW50PSIyMDE3LTAyLTI3VDIxOjUyOjEzWiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhLzYyODM4OTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhkYmUwMTVkOC1jOWU3LWEwNDItZWY0MC0xNjUyNDBmZWFiMTQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPlhUM296WlNCU1F6VEhlQXcvaisyR1pTeXBNRT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+ays5TjZZNEpsNmRMR2JqK1RlMTZSUmlGV05ZclgwQWFKbDU4aHRBK0VvazlhVEg5aVhIR0RObllLUzZHUGMyTnYwT1c4UzRwTWJZOVpJNU5MRm9MZ0xzTWVNZGxiOXIraS85VDVnM0JCVnZQV1BBdDRyRkFjMzRPODkzY3RlMmJmVjl1eWZEMitMWHlLN0x3T0RuVUoveFdMWnIyeW9rNFpIZHA4cjc5bE5FWU9icXNzYmFBMDY2VnpZbDZHWXIyWForQWRhMU9rdG1NTWRvZDhvSy9RMXpRL1pJeTFlOGZzOElsUG9BUHIrbVZDbkkvT0h0NWpYZThKYUMwcEsxTTdtWVBXTHNhT2I3MkVnWUE3ZXg0YlpUQXYwUC96aXI1bUdMNVhwMVBSTC9JSXY4NTI5dWdhZ1dwVm1kZ0RSUW1oQzJRUlZGcjA1MmlXTCt3Z1pUenFBPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVMRENDQXhTZ0F3SUJBZ0lVRWFHOFpNNUdKNGNZSTNxWk9UVHEvb3VqQVdFd0RRWUpLb1pJaHZjTkFRRUZCUUF3WHpFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBb01EbEpvYjJSbGN5QkRiMnhzWldkbE1SVXdFd1lEVlFRTERBeFBibVZNYjJkcGJpQkpaRkF4SURBZUJnTlZCQU1NRjA5dVpVeHZaMmx1SUVGalkyOTFiblFnTVRBeE1EZzRNQjRYRFRFM01ESXhOVEl4TkRVek5Wb1hEVEl5TURJeE5qSXhORFV6TlZvd1h6RUxNQWtHQTFVRUJoTUNWVk14RnpBVkJnTlZCQW9NRGxKb2IyUmxjeUJEYjJ4c1pXZGxNUlV3RXdZRFZRUUxEQXhQYm1WTWIyZHBiaUJKWkZBeElEQWVCZ05WQkFNTUYwOXVaVXh2WjJsdUlFRmpZMjkxYm5RZ01UQXhNRGc0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFvamtTRnlDMmJqdjN0WFRiRkp0MjFtbUQ5dDdkTkRlWUVKTEhtOTJnSmlTZXB4K1JLYUdMbU5QTGJYN0ZXVjNqbExqV0dNaXJPeFBJVkkwVHBxVU5SZUEyeldxREVqVkFaVXV1SExQK0p0Q212KzRtSElDemdyL25tcW9KTFB4WkRiaHJ4SHBMK0lqYWdPNjVUM2FVSm01WTFMUDZ6TzBWT3VQZityRFo3UVJoaVd2RncvMU9vQXZSWnRuUWtQZHBTODdzejBtaUZMMTFaOXZCZmRvbE9zTmtzSktmWGFKL1RBMFI2cVhrREhobzIvTzZDZnV0WTEvUDgwVVk0VWIzVi93bkZsS1NMNVhCa0pZTllBNHE4OUdWSHNkeDFqN2UyWjVIUmRZV0xhR25xVWxzLzJrSzVsYXdGR0dGSnBhZ21hRDJFTFhUdkFSY2lscFRjVDJHSHdJREFRQUJvNEhmTUlIY01Bd0dBMVVkRXdFQi93UUNNQUF3SFFZRFZSME9CQllFRk1XdHZmRmFqZUc0NFZZRW9uM0pmcVFJTDhFdE1JR2NCZ05WSFNNRWdaUXdnWkdBRk1XdHZmRmFqZUc0NFZZRW9uM0pmcVFJTDhFdG9XT2tZVEJmTVFzd0NRWURWUVFHRXdKVlV6RVhNQlVHQTFVRUNnd09VbWh2WkdWeklFTnZiR3hsWjJVeEZUQVRCZ05WQkFzTURFOXVaVXh2WjJsdUlFbGtVREVnTUI0R0ExVUVBd3dYVDI1bFRHOW5hVzRnUVdOamIzVnVkQ0F4TURFd09EaUNGQkdodkdUT1JpZUhHQ042bVRrMDZ2Nkxvd0ZoTUE0R0ExVWREd0VCL3dRRUF3SUhnREFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBRlhEMnJHczhObHB0WjQ1Q0FTeWdURVBDbUV5NkIwdWNMcmExaUN5YUVDelRpQ3k1WVRETXB2N0VXTnE5K2hqRmpSM0J5Z3l0K2duUXNwdTNKenlFQ1I3V3ZaMzN1bVRCT1VHZzdBOFBReFBDRy9ub3FqSEJwMFBXY0Ruc0gveE1OejNVWUYxY1F2RHRPR1IyOWo0RTIrRVVCOU5haTJITTVMT21RTVUzSllnREVRRjVyTXpEVkI3WXpiTThKcERvZnpqcWo4QXo0S0UrVDFuQkt4aXpNdEM4cEZCcXpiYUZ2VmVselB0LzN4L0t6MWVuQnlhOUZicGRodExuWXpMb0JoSlNDOHJLRkFiaXBqL3pGMGtxQUg4U3l0NlF3Q0N2TWFuVm1WUGl5ZmJNMkd2OEJkdmJ1alRJZjZVTXNmai8xKzlXLzAxZkN4L2krUmhNL2dQYjRRPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+Y293Z3VybUByaG9kZXMuZWR1PC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE3LTAyLTI3VDIxOjU1OjEzWiIgUmVjaXBpZW50PSJ7cmVjaXBpZW50fSIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE3LTAyLTI3VDIxOjQ5OjEzWiIgTm90T25PckFmdGVyPSIyMDE3LTAyLTI3VDIxOjU1OjEzWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT57YXVkaWVuY2V9PC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wMi0yN1QyMTo1MjoxMloiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwMTctMDItMjhUMjE6NTI6MTNaIiBTZXNzaW9uSW5kZXg9Il9jY2ZkYTNmMC1kZjNhLTAxMzQtMjRiYS0wYTBjNzk0Yjc2NmYiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6 UmVzcG9uc2U+Cgo=

[pitbulk]

I was able to decode it here: https://www.samltool.com/base64.php

And was able to get the NameID at: https://www.samltool.com/attributes.php

samltool.com uses php-saml. Have you checked that the SAMLResponse was validated correctly and the settings are ok. Aftet the processResponse, check that the getErrors method replies an empty array.

[safetypins]

When I was looking at the code for the response class, it looked like the "Processing" happened as part of the initialization of the SAMLResponse. Do I need to do that separately?

[safetypins]

$auth->getErrors() returned an empty array. Is there another place to look for errors?

[pitbulk]

Check this piece of code: https://github.com/onelogin/php-saml#attribute-consumer-serviceacs-endpointsacsphp

You need to initialize the auth object, call the processResponse and later check if the getErrors returns empty array.

[safetypins]

Great, thanks!

[cweagans]

You may want to be aware of https://www.drupal.org/project/samlauth