Open lebarbu34280 opened 7 years ago
pitbulk
commented
7 years ago This saml plugin was created 4 years ago for Limesurvey 2.0.5, and you are trying 2.6.2. I assume that there is some incompatibility. The loop happens when the SAMLResponse can't be processed or the user not able to be logged so an AuthNRequest is again sent to the IdP.
lebarbu34280
commented
7 years ago Thanks for your answer
Shnoulle
commented
7 years ago Hi,
Try to disable CRSF https://manual.limesurvey.org/Optional_settings#Request_settings . If it work : i think SAML can work without $_POST value submitted ? Unsure here, must track why it's a post value
pitbulk
commented
7 years ago SAML uses HTTP-POST binding to send the SAMLResponse to the ACS URL endpoint (is the most common scenario).
Since the SAML protocol has its own mechanism to validate the SAMLResponse, the CRSF protection is not required on SAML endpoints.
Shnoulle
commented
7 years ago OK, then : must find a way to Deactivate CRSF protection on this endpoint (maybe use https://manual.limesurvey.org/NewUnsecureRequest ? But out of Auth plugin system ...)
If i look at code : if you're already connected to SAML : no need post value again ? Right ?
If yes : how is set $ssp->getLoginURL() ?
[edit] OK : got it https://simplesamlphp.org/docs/1.9/simplesamlphp-sp-api#section_8
Then can be done with some hour
lebarbu34280
commented
7 years ago Yes Right, If I'm already connected, there is no need to post value again
Shnoulle
commented
7 years ago Yes : and disable CRSF fix the issue too.
For a better fix try, in config.php
'db' => array(
// Current part of your config
),
'request' => array(
'noCsrfValidationRoutes'=>array(
'admin/authentication',
),
),
// Uncomment the following line if you need table-based sessionsIf it work : adding a line in README fix it . Another way to fix is adding another return url using $ssp->getLoginURL() and NewUnsecureRequest
Shnoulle
commented
6 years ago @lebarbu34280 : deactivate CRSF globally : did it work ? If yes , just for authentification ?
Hi, I'm experimenting some troubles with the plugin. I have a full federation working with SPs, IDPs, and websites connected to I'm using simpleSAMLphp 1.14.3 and it working fine I'm using Limesurvey 2.6.2 my apache is apache 2.4 my php 5.6 but I keep getting thir error CHttpException
Le jeton CSRF n'a pas pu être vérifié.
/home/limesurvey/www/limesurvey-sso/framework/web/CHttpRequest.php(1355)
1343 case 'DELETE': 1344 $userToken=$this->getDelete($this->csrfTokenName); 1345 } 1346 1347 if (!empty($userToken) && $cookies->contains($this->csrfTokenName)) 1348 { 1349 $cookieToken=$cookies->itemAt($this->csrfTokenName)->value; 1350 $valid=$cookieToken===$userToken; 1351 } 1352 else 1353 $valid = false; 1354 if (!$valid) 1355 throw new CHttpException(400,Yii::t('yii','The CSRF token could not be verified.')); 1356 } 1357 } 1358 1359 1360 /* 1361 Returns the version of the HTTP protocol used by client. 1362 1363 @return string the version of the HTTP protocol. 1364 @since 1.1.16 1365 / 1366 public function getHttpVersion() 1367 { Stack Trace
0
1
2
3
– /home/limesurvey/www/limesurvey-sso/index.php(218): CApplication->run() 213 die (sprintf('%s should be writable by the webserver (766 or 776).', $sDefaultRuntimePath)); 214 } 215 } 216 217 Yii::$enableIncludePath = false; 218 Yii::createApplication('LSYii_Application', $config)->run(); 219 220 / End of file index.php / 221 / Location: ./index.php /
I installed an SAML tracer to follow the SAML message when I go to the admin login page, the plugin redirect me to the SP I use my credentials and I can see the redirect and the connection to the IDP I got my authentification access, but when I'm redirected to the limesurvey login page I got a loop an then this message any help would be appreciated
Best regard