opf / openproject-auth_saml

OmniAuth SAML strategy provider for OpenProject
MIT License
3 stars 0 forks source link

ValidationError, No fingerprint or certificate on settings #1

Open l0rn opened 6 years ago

l0rn commented 6 years ago

The current dev (the version shipped with the official docker distribution of openproject) does not work.

When trying to authenticate with a saml provider the following message occures in the log:

omniauth: (saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, No fingerprint or certificate on settings

Already run pry debugger and indeed the settings object does not contain most of the relevant configurations:

=> #<OneLogin::RubySaml::Settings:0x0000561e3ed63910
 @assertion_consumer_service_binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 @assertion_consumer_service_url="https://project.example.com/auth/saml/callback",
 @attribute_consuming_service=#<OneLogin::RubySaml::AttributeService:0x0000561e3ed62f38 @attributes=[], @index="1">,
 @compress_request=true,
 @compress_response=true,
 @double_quote_xml_attribute_values=false,
 @idp_cert_fingerprint_algorithm="http://www.w3.org/2000/09/xmldsig#sha1",
 @name_identifier_format=nil,
 @security=
  {:authn_requests_signed=>false,
   :logout_requests_signed=>false,
   :logout_responses_signed=>false,
   :want_assertions_signed=>false,
   :want_assertions_encrypted=>false,
   :want_name_id=>false,
   :metadata_signed=>false,
   :embed_sign=>false,
   :digest_method=>"http://www.w3.org/2000/09/xmldsig#sha1",
   :signature_method=>"http://www.w3.org/2000/09/xmldsig#rsa-sha1"},
 @single_logout_service_binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 @soft=true>
[2] pry(#<OmniAuth::Strategies::SAML>)> 

probably the api of the weakly defined dependency ruby-saml or omniauth-saml changed.

wexstorm commented 6 years ago

I've got exactly the same problem. Did you find a solution?

l0rn commented 6 years ago

My "solution" was to use openconnect instead, which worked fine. this seems to be just broken.

wexstorm commented 6 years ago

I ended up with updating the file ruby-saml-1.6.1/lib/onelogin/ruby-saml/settings.rb (I really know that this is worst practice) and changing the defaults to my settings. This works flawlessly.

Cheers

wexstorm commented 6 years ago

So, as it seems this line config = DEFAULTS.merge(overrides) in ruby-saml/lib/onelogin/ruby-saml/settings.rb merges the configs but does not add settings from the settings yaml file.

topoutchris commented 6 years ago

Any update on this? Still seems to be an issue with the latest docker containers. End up having to update the ruby-saml/settings.rb default as @wexstorm suggested, or have constant SAML errors.

oliverguenther commented 5 years ago

Sorry for the late reply, was not getting notifications for issues on this repository. This issue should only arise if your auth provider callback (/auth/:name) (which is the name) attribute in your settings.yml does not match.

Our OmniAuth strategy will try to look up the given provider based on the name in the callback URL, which is why the name must be set in order to find the key.

With that in mind, I can successfully create a response flow with SAML.

Please note that this repository is being integrated into https://github.com/opf/openproject for the next release 8.3., which will include an updated RubySAML https://github.com/opf/openproject/pull/7014

Please create a ticket at https://community.openproject.com and assign it to us if you are continuing to have issues with SAML!

Best, Oliver