Closed brianpeiris closed 7 months ago
thameera
commented
7 months ago @brianpeiris I don't have any experience with Firebase, but the missing-or-invalid-nonce error sounds like it's expecting an OIDC flow rather than SAML, because nonce is an OIDC concept.
If that doesn't seem to be the problem, would you be able to share a HAR file of the full login flow? I can check if something's amiss. Please make sure to redact anything sensitive or PII from the HAR.
brianpeiris
commented
7 months ago Hmm, perhaps the nonce is specific to Firebase's authentication mechanism. Still not sure why saml-mock would fail to work though. I was able to get boxyhq/mock-saml working.
I'll try to make a minimal reproduction and record a HAR for this in a few days. Thanks.
brianpeiris
commented
7 months ago @thameera I've reproduced the issue with a fresh Firebase project and a simple test application.
Here is the HAR file showing the nonce error. I've deleted the associated firebase project, so any sensitive information is now invalid. saml-mock-firebase-har.zip
I've also created a repo containing the test application here: https://github.com/brianpeiris/test-firebase-saml Also confirmed this application and Firebase configuration works with BoxyHQ's Mock SAML as I mentioned earlier.
thameera
commented
7 months ago Thanks for the sample app and HAR file. It looks like Firebase looks for unique IDs in the SAML assertion, but SAML Mock hard codes that to "1234". Can you try changing this value every time you login and see if the error goes away? This is the ID="1234" part in first line of the SAML Assertion textbox.
If the login starts working after that, I'll update the mock so that the assertion is a unique ID always.
brianpeiris
commented
7 months ago Thanks! That was the issue. Every SAML assertion must have a globally unique ID -- it didn't even accept duplicated IDs across different browsers.
Out of curiosity, how did you figure that out from the HAR?
Also some notes for anyone trying this with Firebase in the future:
Failed to verify the signature in SAMLResponse (auth/invalid-credential).SAML Response <Issuer> mismatch. (auth/invalid-credential). or All <AudienceRestriction>s should contain the SAML RP entity ID: 'saml-mock'. (auth/invalid-credential).
To avoid this, I configured Firebase like so, for my test app, to match saml-mock's default issuer. The "aud" parameter in the SSO URL also has to match the "Service Provider (Entity ID)" configuration.
Entity ID: saml-mock
SSO URL: https://samlmock.dev/idp?aud=urn:firebase:saml-mock&acs_url=https://localhost:5173/__/auth/handler
Service Provider (Entity ID): urn:firebase:saml-mockGreat, I'll push a fix shortly.
It wasn't clear from the HAR itself, but some research showed that one possibility would be a non-unique nonce. Since SAML doesn't have nonces, I did some trial-and-error tests with non-unique values in SAML Mock responses like ID and SessionIndex. It was more of a lucky find. Talk about unhelpful error messages.
The responses had to be signed indeed (as opposed to assertions), forgot to mention it here. Didn't come across the issuer mismatch because i was using the same entity id everywhere.
thameera
commented
7 months ago Looks like this will need an ID that's different from that of the response's. I'll fix this tomorrow.
thameera
commented
7 months ago @brianpeiris if you can confirm that the latest change fixes the issue we can close this out. You'll still need to check Sign Response manually.
brianpeiris
commented
7 months ago @thameera Yup, confirmed that the auth works as expected now. Thanks for the fix!
thameera
commented
7 months ago Great, thanks for reporting and testing!
This tool seems to be incompatible with Firebase Authentication for some reason. When attempting to login with saml-mock as an IdP, Firebase rejects the SAML Response with the error
Duplicate credential received. Please try again with a new credential. (auth/missing-or-invalid-nonce).I've configured saml-mock as a Custom SAML provider in Firebase, though I'm not sure if I just misconfigured things. If there's interest in getting this to work with Firebase, I can try to provide more details and steps to reproduce.