Closed michielbdejong closed 1 year ago
after researching and looking at these three docker files for SimpleSAMLPHP:
I decided to choose the second one because it makes customization simpler. it can be used as a base image and you can add your own configuration to it.
you cand find simple saml on this address: http://localhost:8082/simplesaml
but the configuration seems to be invalid and it show this error :
Backtrace:
3 lib/SimpleSAML/Session.php:328 (SimpleSAML\Session::getSessionFromRequest)
2 modules/core/www/frontpage_welcome.php:5 (require)
1 lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)
OK! Thanks, I'll take it from here.
You could add the configuration that is mentioned in this section of SimpleSAMLPHP.md: https://github.com/pondersource/nextcloud-mfa-awareness/blob/main/SimpleSAMLPHP.md#integrating-nextcloud-with-simplesamlphp
in side master next cloud.
MariaDB [nextcloud]> select * from oc_user_saml_configurations;
+----+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | name | configuration |
+----+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | samlidp | {"general-uid_mapping":"username","general-idp0_display_name":"samlidp","idp-entityId":"http:\/\/sunet-ssp\/simplesaml\/saml2\/idp\/metadata.php","idp-singleSignOnService.url":"http:\/\/sunet-ssp\/simplesaml\/saml2\/idp\/SSOService.php","idp-x509cert":"asdf"} |
+----+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)
172.30.0.6 - - [28/Oct/2022:10:45:24 +0000] "GET /simplesaml/saml2/idp/SSOService.php?SAMLRequest=lZJZTwMhFIXf%2BysM71Nm6yJpm1Tr0qS2jVN98KWhzNWSzAByweXfO4t7YhPvAwkXzse5J4yQl4VhU%2B%2F26hoePaDrHFX1UhYKWXM4Jt4qpjlKZIqXgMwJlk2vFizuhsxY7bTQBfklO6ziiGCd1KqVzWdjslqeLVYX8%2BU26fePozAROfREznkapWnIk2g3HA56Sdo%2FHoRiNxiESSu9BYsVZ0wqLOm0NEQPc4WOK1f1wzgOojCIh5soZGmPxeldK51Vw0rFXSPfO2cYpegVuADRUJSlKaAehdZLTGVuaJatMrBPUkDX7E2LWb8ncCJVLtXD4cF37SVkl5vNOlivsk0LmX4EcqoV%2BhLs%2BzM314tf3pSorKgcXmoHlBuD1Ffa7adTygWSSUMd1XvW5GEn%2F6SU4HjOHR%2FR75AvrGHLarr5bK0LKV6bfl3n2pbc%2FR1C1I2ajsyD%2B%2BYq8woNCHkvISefmGlR6OdTC9zBmDjrgRzRSaf18vO7Tt4A&RelayState=http%3A%2F%2Fsunet-nc2%2Findex.php%2Fapps%2Fuser_saml%2Fsaml%2Flogin HTTP/1.1" 500 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
[root@7f12e25290d7 /]# cat /var/log/php-fpm/www-error.log
[28-Oct-2022 10:45:24 UTC] PHP Fatal error: Uncaught SimpleSAML\Error\CriticalConfigurationError: The configuration is invalid: Setting secure cookie on plain HTTP is not allowed. in /var/simplesamlphp/lib/SimpleSAML/Session.php:328
Stack trace:
#0 /var/simplesamlphp/lib/SimpleSAML/Error/Error.php(190): SimpleSAML\Session::getSessionFromRequest()
#1 /var/simplesamlphp/lib/SimpleSAML/Error/Error.php(228): SimpleSAML\Error\Error->saveError()
#2 /var/simplesamlphp/www/_include.php(18): SimpleSAML\Error\Error->show()
#3 [internal function]: SimpleSAML_exception_handler()
#4 {main}
thrown in /var/simplesamlphp/lib/SimpleSAML/Session.php on line 328
Next:
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: SimpleSAML\Error\Exception: No such "example-userpass" auth source found.
Backtrace:
2 lib/SimpleSAML/IdP.php:108 (SimpleSAML\IdP::__construct)
1 lib/SimpleSAML/IdP.php:139 (SimpleSAML\IdP::getById)
0 www/saml2/idp/SSOService.php:23 (N/A)
Next SSP GUI is rendering, with:
Enter your username and password
Created user table in db, fixed dsn, installed mysql driver. Next:
Unable to load private key from file "/var/simplesamlphp/cert/server.pem"
Next:
[Fri Oct 28 12:08:52.865079 2022] [php:notice] [pid 95] [client 192.168.0.6:56604] loading settings from arrayarray (\n
'strict' => true,
'debug' => false,
'baseurl' => 'http://sunet-nc2/index.php/apps/user_saml/saml',
'security' => \n array (\n
'nameIdEncrypted' => false,\n
'authnRequestsSigned' => false,\n
'logoutRequestSigned' => false,\n
'logoutResponseSigned' => false,\n
'signMetadata' => false,\n
'wantMessagesSigned' => false,\n
'wantAssertionsSigned' => false,\n
'wantAssertionsEncrypted' => false,\n
'wantNameId' => false,\n
'wantNameIdEncrypted' => false,\n
'wantXMLValidation' => false,\n
'requestedAuthnContext' => false,\n
'lowercaseUrlencoding' => false,\n
'signatureAlgorithm' => NULL,\n ),\n
'sp' => \n array (\n
'entityId' => 'http://sunet-nc2/index.php/apps/user_saml/saml/metadata',\n
'assertionConsumerService' => \n array (\n
'url' => 'http://sunet-nc2/index.php/apps/user_saml/saml/acs',\n ),\n
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',\n
'x509cert' => '',\n
'privateKey' => '',\n
),\n 'idp' => \n array (\n
'entityId' => '',\n
'singleSignOnService' => \n
array (\n
'url' => '',\n ),\n
'x509cert' => '',\n ),\n)
[Fri Oct 28 12:08:52.865186 2022] [php:notice] [pid 95] [client 192.168.0.6:56604] errors found in settings:array (\n
0 => 'idp_entityId_not_found',\n
1 => 'idp_sso_not_found',\n
2 => 'idp_cert_or_fingerprint_not_found_and_required',\n)
To debug I can view the setting while logged in via http://sunet-nc2/index.php/login?direct=1
curl http://sunet-ssp/simplesaml/saml2/idp/metadata.php
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://sunet-ssp/simplesaml/saml2/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDazCCAlOgAwIBAgIUTQg4Wn5st4nmtOT08sQhGRcUbl8wDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjEwMjcxMzIxNTlaFw0zMjEwMjYxMzIxNTlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9hOJBGYdIAqzRNYBYk6BCXUQc8ECSDEFVp3hPxwoM7x4eGZNmpr2xrCVMR+YJZ2ofGdjzBwSbxQOWD1xO4e432taJAx9G4sDfNeJuJUGxdP4Id/jYMZJ/b6oQ8FTXEbi8ZflSBa/z7bvlGUDm/I7U6XYcAeDxCe0mvOUYVex5WcNLGeZO26iq/OOR2c2NuD/IwnIhDAcnyF/eWMeeuLWNxPIew15mUSK2uDzI5b826GTNE9tgYc9TAoz95/IfvJAHyigqJTqjjpvDwGWPufOVUycFGRNCu7HsLSaapyg3JlnlRq5PJjmc8pJYGfj5gms0l+lbVvnhcPQHRzRgDsnbAgMBAAGjUzBRMB0GA1UdDgQWBBTqLY1LIUEvyHaKUn90axnp1FPcOjAfBgNVHSMEGDAWgBTqLY1LIUEvyHaKUn90axnp1FPcOjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCDl+p9ZcRoG6z3+LJXZIexOzYVHFRr71UBv1NPiyO5bJw332RdiYhB0s8PAyTCavSLhVK4WhAam/lZX9sNMSXb9QwSqjHiYT+DA5loaGJJU7DMHeqvifL1kXz776Lv+70Uh9qjuXIz74Ye4zQA+ALTb3M65kMaRJ9juLEdUVsnLUPvLhKBG8MHXX6sFv2mE6CjKKNPSvliaChAFHL2gmAEfp2TOzwLF6icRMjuBBCiH/5OiwwViF5mwgpJ938HeC1GIIKsVDQgUIDr+KPqQbC4OEsGUCW8bybibdwNdtYgNpDYwysgYHgWDsRdmDmkh5LyQ8CODPPBMk+mAN+xC5hX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDazCCAlOgAwIBAgIUTQg4Wn5st4nmtOT08sQhGRcUbl8wDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjEwMjcxMzIxNTlaFw0zMjEwMjYxMzIxNTlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9hOJBGYdIAqzRNYBYk6BCXUQc8ECSDEFVp3hPxwoM7x4eGZNmpr2xrCVMR+YJZ2ofGdjzBwSbxQOWD1xO4e432taJAx9G4sDfNeJuJUGxdP4Id/jYMZJ/b6oQ8FTXEbi8ZflSBa/z7bvlGUDm/I7U6XYcAeDxCe0mvOUYVex5WcNLGeZO26iq/OOR2c2NuD/IwnIhDAcnyF/eWMeeuLWNxPIew15mUSK2uDzI5b826GTNE9tgYc9TAoz95/IfvJAHyigqJTqjjpvDwGWPufOVUycFGRNCu7HsLSaapyg3JlnlRq5PJjmc8pJYGfj5gms0l+lbVvnhcPQHRzRgDsnbAgMBAAGjUzBRMB0GA1UdDgQWBBTqLY1LIUEvyHaKUn90axnp1FPcOjAfBgNVHSMEGDAWgBTqLY1LIUEvyHaKUn90axnp1FPcOjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCDl+p9ZcRoG6z3+LJXZIexOzYVHFRr71UBv1NPiyO5bJw332RdiYhB0s8PAyTCavSLhVK4WhAam/lZX9sNMSXb9QwSqjHiYT+DA5loaGJJU7DMHeqvifL1kXz776Lv+70Uh9qjuXIz74Ye4zQA+ALTb3M65kMaRJ9juLEdUVsnLUPvLhKBG8MHXX6sFv2mE6CjKKNPSvliaChAFHL2gmAEfp2TOzwLF6icRMjuBBCiH/5OiwwViF5mwgpJ938HeC1GIIKsVDQgUIDr+KPqQbC4OEsGUCW8bybibdwNdtYgNpDYwysgYHgWDsRdmDmkh5LyQ8CODPPBMk+mAN+xC5hX</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://sunet-ssp/simplesaml/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://sunet-ssp/simplesaml/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
@navid-dada Can we look at this together on Monday?
Ah, I found a work-around. Maybe it was because I stored the oc_user_saml_configurations with id=2 instead of id=1.
And fixed the mfachecker code.
Dockerize this: https://github.com/pondersource/nextcloud-mfa-awareness/blob/main/SimpleSAMLPHP.md