SAML 2.0 SP Symfony bundle based on LightSAML.
lightsaml / spbundle Goto Github PK
View Code? Open in Web Editor NEWSAML2 SP Symfony Bundle based on LightSAML
Home Page: https://www.lightsaml.com/SP-Bundle/
License: MIT License
SAML2 SP Symfony Bundle based on LightSAML
Home Page: https://www.lightsaml.com/SP-Bundle/
License: MIT License
SAML 2.0 SP Symfony bundle based on LightSAML.
Hi,
I configured SpBundle following the Getting Started tutorial. I got all routes working (login
, discovery
, metadata.xml
, sessions
), but when the IdP calls the login_check
route POSTing the SAMLResponse, I get the following error:
Unable to find the controller for path "/saml/login_check". The route is wrongly configured.
The controller could not be found.
Did I miss something?
Thanks.
Since yesterday I get an error : "Unable to verify Signature" when using https://idp.testshib.org/idp/shibboleth.
I also have this error in demo project : https://github.com/lightSAML/DemoSP
came with an error below:
Catchable Fatal Error: Argument 1 passed to LightSaml\SpBundle\Security\Authentication\Token\SamlSpToken::__construct() must be of the type array, null given,
When I checked the token created in SamlSpTokenFactory, didn't create the roles while that could not be null in SamlSpToken->__construct. Could anyone help me with this?
in vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Token/SamlSpToken.php (line 27)
SamlSpToken->__construct(null, 'main', array('username' => 'johndoe', 'email' => '[email protected]'), object(User))
in vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Token/SamlSpTokenFactory.php (line 34)
$token = new SamlSpToken( $user instanceof UserInterface ? $user->getRoles() : [], $providerKey, $attributes, $user ); return $token; }}
SamlSpTokenFactory->create('main', array('username' => 'johndoe', 'email' => '[email protected]'), object(User), object(SamlSpResponseToken))
in vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php (line 137)
$result = $this->tokenFactory->create( $this->providerKey, $attributes, $user, $token ); } else { $result = new SamlSpToken( $user instanceof UserInterface ? $user->getRoles() : [], $this->providerKey, $attributes,
Hi,
I am implementing sp-bundle in Symfony 2.3 project. It appears that this function was implemented in Symfony 2.6. Can you help?
FatalErrorException: Error: Call to undefined method LightSaml\SpBundle\Controller\DefaultController::redirectToRoute() in C:\DATA\Projects\PHP\Symfony2\Symfony2-LightSAML-SP\vendor\lightsaml\sp-bundle\src\LightSaml\SpBundle\Controller\DefaultController.php line 47
Our application is behind a load balancer running on port 80. The SSL certificate is at load balancer running at port 443. When we generate the metadata the ACS URL is http. We needed https. If we forced change the ACS URL in ADFS to https, then we encountered the below issue in fig. 1.
We found that there is some setting related to absolute URL. Please see fig 2.
We tried to set the router scheme to https as mentioned here http://symfony.com/doc/2.7/cookbook/console/request_context.html#configuring-the-request-context-globally but it is not working.
We need your help on this matter.
Thank you.
Hi !
I struggling in adding an RequestedAuthnContext
node to an AuthnRequest xml request
expected result
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_3032e287176d383ac6efa999f8e58775222efff3" Version="2.0" IssueInstant="2018-05-24T15:12:48Z" Destination="https://example.comsaml2sso" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://example.com/?acs">
<saml:Issuer>example.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
<samlp:RequestedAuthnContext Comparison="Minimum">
<saml:AuthnContextClassRef>urn:example:saml:auth-level:1.0:low</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
is there a proper way to achieve this ?
I can't find any way to handle it without creating a new LightSaml\Model\Protocol\SamlMessage
, overriding the whole workflow which creates LightSaml\Model\Protocol\AuthnRequest
and add my freshly created node.
Thanks in advance
PS : Sorry if the issue is not in the right repository.
Hi,
I am having some difficulty while implementation. If I don't provide user_creator service and user authenticated successfully, the system stuck in loop keep redirecting to IdP and IdP keep sending back to SP. I think this is because the user not authorized so token not generated so SP send to IdP but user is authenticated so IdP send back user to SP.
I remember I had a similar issue in SamlSPBundle and I overcome this by setting user role to something which is not in system. This stops the user at SP with 403 error as user is not authorized. I unable to do same here unless I have to override authenticate
function in LightsSamlSpAuthenticationProvider
.
Is there some better way to handle this case without overriding? I am avoiding this as it is hard to maintain for subsequent updates. Thanks
Hi @tmilos
My application is working good in local environment.
I set up the app in "dev" environment, the dev server is behind a load balancer.
When I try to access to a private page under "saml firewall", I'm redirected to the right login form, I put my ids but when I'm redirected to "login_check" route, I have an error:
An exception occurred while executing 'INSERT INTO user_saml (username, roles) VALUES (?, ?)' with params [null, "["ROLE_USER"]"]:
SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'username' cannot be null
It seems that, for a reason I don't know, the username is not getting back.
Can it be a problem with load balancing ? Is there a configuration I can make from app side ?
I've already set this instruction in my /web/app.php file:
Request::setTrustedProxies(array($_SERVER['REMOTE_ADDR']));
Thanks for your help.
I can't see an obvious way in the Saml 2.0 documentation or your implementation LightSaml\Model\Protocol\AuthnRequest
of a way to send arbitrary values to the Identity Provider.
I am using LightSaml\Builder\Profile\WebBrowserSso\Sp\SsoSpSendAuthnRequestProfileBuilder
in your login.php
example.
Is there a way of sending arbitrary values to the Identity Provider in the AuthnRequest?
I see in the saml 2 schema there is an "samlp:Extensions" node that can be added to AuthnRequests and I believe any Saml Message, Simple Saml has an implementation of this FYI.
Hello,
The OpenIdP has been shut down. It is no longer possible to use it to test your SAML Service Provider. If you were using it for that purpose, you will need to look for alternatives.
Do you know any possible solution to test the saml SP?
Hi Milos,
First of all, thanks for the big effort you've put in lightSAML. I am trying to migrate from aerialship/lightsaml in Symfony but have trouble getting our current setup to work properly.
The thing is that validating the SAML response signature is not working, because the resolver(s) won't find any credentials matching the issuer (LightSamlSpListener ->receiveSamlResponse). Looking through the code, I notice that only own credentials are build/stored (SP) and it's looking for credentials stored for the issuer (IdP) to validate the signature.
Any idea what I am missing here?
Regards,
Jasper
I can't find how to specify in metadata.xml what attributes my SP requires from IdP.
When I add my SP metadata xml to my https://samlidp.io/ IdP, I get this message
It works only when email
switch is ON, otherwise I get null
in
// UserCreatorInterface
$this->usernameMapper->getUsername($response)
How to make AttributeQuery? As I understand this is not implemented?
On user login (on AuthnRequest Response) I want to make an AttributeQuery and abort login process if IdP doesn't provide the required attributes (for example email, First Name, Last Name).
P.S. This bundle is a big machinery for me, so sorry if this question is too obvious for you. I have spent almost a week inspecting it and still no clear vision about its internals.
I am setting this bundle up in my Symfony 3.0.1 application. I followed the setup document exactly and installed my vendor's IDP configuration (I'm using OKTA). When I goto the login page, I'm redirected to OKTA which is great. When I login there I'm redirected back to my site (/saml/login) and several errors are generated. It then proceeds to redirect from back and forth constantly.
Can you point me in the direction of the problem?
Undefined index: http_request
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}
Undefined index: own_entity
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":62,"level":28928,"scream":true}
Undefined index: party_entity
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}
Undefined index: endpoint
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}
Undefined index: inbound_message
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}
Undefined index: outbound_message
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}
Undefined index: serialization
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":62,"level":28928,"scream":true}
I keep getting the following error.
"Unable to find the controller for path "/saml/login_check". The route is wrongly configured."
I imported the routes, I have no problem with /saml/discovery and /saml/login (redirects me to /saml/discovery)
What am I missing?
Starting with Symfony 4, services are marked private per default, which means that you cannot get services by calling $container->get('service.name') anymore. Doing so leads to a ServiceNotFoundException.
Unfortunately, this bundle makes use of $container->get() to get LightSAML services. Thus, they need to be either marked public (easy solution) or injected using DI (this is the recommended solution).
Note: this issue affects both SpBundle and SymfonyBridgeBundle 😉
Hi,
I am facing issue while downloading package via composer. I am using command composer require "lightsaml/sp-bundle"
but it is showing following error. Appreciate help on this.
[InvalidArgumentException]
Could not find package lightsaml/sp-bundle at any version for your minimum-stability (stable). Check the package spelling or your minimum-stability
Hello, my implemented SAML flow suddenly stopped working with the following Error message:
Uncaught PHP Exception LightSaml\Error\LightSamlSecurityException: "Algorithm mismatch between input key and key used to encrypt the symmetric key for the message. Input key algo is: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'. Message key algo is 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'"
What is in this context the "input key" and what is the "message key"?
Because I did not change anything on my side, I assume that the ADFS settings were changed by someone. Is this the right conclusion for this case?
Any help would be appreciated, Thx. :-)
hi,
i have a legacy application that works with simplesamlphp but i'm trying to make it work inside symfony framework. I looked at the documentation but i didn't find a section in which is described well the location of the simplesamlphp config directory.
For example in my application i use simplesaml/configuration.php for telling to the app who is the IDP.
Where I have to put these files inside the symfony framework directories?
THX
I was wondering if it is possible to merge the attributes from the SamlSpToken back into the user object.
In my perticular use case I want to update the user roles provided by the IdP in the database after a successful login.
Edit: As a workaround I have not specified the "provider" option in the firewall config. This way the user_creator service is always used after a succesful login. This feels like a hack though.
Hello,
First of all, thank you for this beautiful library.
I have a Symfony app working with an Azure AD. The authenfication works in production, I set the entity_id as my web site domain, the response url to my_domain/saml/login_check and everything is fine.
The problem is that the authentification doesn't work when I authenticate to Azure AD from localhost, I get the error in the title.
I think that the problem is when the prod server gets the response from the Azure AD after my local authentification, the prod server dosen't recognize my local server, and pops the error.
Is there a way to make my authentification work from local and production at the same time ?
Thanks !
hi all,
i go to /saml/login
i'm redirect to /saml/discovery, i choose my IDP
i'm redirect to /saml/login?idp=<url_ipd>
and i show
Unable to generate a URL for the named route "lightsaml.login_check"
please, help me ?
Hi, I am running into an issue with setting up Authentication in Symfony 2.8 with Saml plugin (https://www.lightsaml.com/SP-Bundle/Getting-started/).
Problem:
I want to able to login via SAML and via going to admin page. The /admin/login page works fine, I see the user authenticated from the database. However, when I try to go through the Saml process, I always land on the /discovery page. When I see the logs, I do see the user is authenticated, but the page is redirected to discovery page. So, I think I have something not correctly configured in the security settings. Please let me know if you can help.
Here are the settings from
config/security.yml file:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/saml/login$
anonymous: ~
discovery_firewall:
pattern: ^/saml/discovery$
anonymous: ~
secured_area:
pattern: ^/
anonymous: ~
light_saml_sp:
provider: db_provider # user provider name configured in step 9
#user_creator: user_creator # name of the user creator service created in step 10
login_path: /saml/login
check_path: /saml/login_check
default_target_path: /profile
form_login:
login_path: /admin/login
check_path: /admin/login_check
default_target_path: /
remember_me: true
logout:
path: /logout
target: /
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
access_control:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/profile, roles: ROLE_USER }
Since I use this bundle (which is working fine), switch_user is not working, I got an error ERR_TOO_MANY_REDIRECTS.
My configuration :
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
secured_area:
switch_user: true
light_saml_sp:
provider: db_provider
login_path: /saml/login
check_path: /saml/login_check
failure_handler: auth_fail
success_handler: login_handler
logout:
path: lightsaml_sp.logout
target: /
invalidate_session: false
anonymous: ~
Hi guys,
I am working with your component and I have a specific necessity.
I want to use an SSO service with your package, but I also want to use the in_memory default symfony solution as a fallback.
I tried to use a chained provider and also tried to specify the fallback like this:
my_firewall:
pattern: ^/saml
security: true
light_saml_sp:
provider: my_saml_user_provider
user_creator: my_saml_user_factory
login_path: /login
check_path: /saml/login_check
always_use_default_target_path: true
default_target_path: /admin
require_previous_session: false
logout:
path: /logout
http_basic:
realm: "Access denied"
provider: in_memory
It doesn't work, I just continue being redirected to the login page. How can I make it trigger the in_memory provider as a fallback? Thanks
When the Symfony firewall intercepts a request and redirects the user to the IDP for authentication, the RelayState is not included in the redirect to the IDP. Consequently, when the user is returned from the IDP, they end up on the home page of the Symfony application, rather than the page they were attempting to access.
Is this supported? If so, is this a configuration option that I have not included?
Hi,
I'm trying to move some projects from AerialShip SamlSpBundle to lightSaml SpBundle and I'm facing some issues.
For an application acting as an SP, I was using an entity descriptor provider for the IdP declaration. But the new symfony bridge configuration seems to only allow static xml files.
Is there a way to configure a service implementing the EntityDescriptorProviderInterface somewhere?
Hi
I have integrated the sp bundle with an simplesamlphp server, which works great.
Is there a way to logout from application and from IDP the same time? After logging out successfully, and re-accessing a secured resource. It just gets a valid session from the simplesamlphp server without asking for credentials.
Regards
Hi.
This issue might be for the core part of lightSAML and not the SpBundle.
We integrate against an ADFS that uses rolling switchover when their certificates expire.
I would expect that I were able to use multiple certificates in the IDP XML like
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>{certificate1}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>{certificate2}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>{certificate2}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
But I get the following error when verifying the response.
Call to a member function removeChild() on null
in vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php at line 489
{
$docElem = $this->sigNode->ownerDocument->documentElement;
if (! $docElem->isSameNode($this->sigNode)) {
$this->sigNode->parentNode->removeChild($this->sigNode);
}
As I read the description on saml2 http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.html multiple KeyDescriptor
should be valid.
The inclusion of multiple elements with the same use attribute (or no such attribute) indicates that any of the included keys may be used by the containing role or affiliation. A relying party SHOULD allow for the use of any of the included keys. When possible the signing or encrypting party SHOULD indicate as specifically as possible which key it used to enable more efficient processing.
Thanks.
I get
Unknown InResponseTo '_68b93e494c86295ff7d21d274486ab489b429f17ed'
because id store doesn't save any id. Should I save the id manually on login action? (I have overwritten the DefaultController in a child bundle)
P.S. I don't know why, this bundle is VERY HARD to work with. The documentation is poor and the architecture is complicated. I usually spend 1-3 hours in order to find how one parameter is used, why I get an error. Sorry, I've found architecture description
Symfony has it's own security component splitted into separate repos:
https://github.com/symfony?utf8=%E2%9C%93&q=security&type=&language=
It might be useful for people using only the component, but not the framework to use your security component integration (but not the rest of the bundle).
Hi, I have an error when I install this bundle, when I run this $ composer.phar require lightsaml/sp-bundle
, then appears this error
The child node "own" at path "light_saml_symfony_bridge" must be configured.
What can I do?
Thanks in advance
I'm having problems providing both a SAML based login and a traditional login form. The SpBundle keeps redirecting to the IdP. Can you suggest a way to have both of these working together?
Regards,
Hi,
I am working on the integration of lightSAMLSpBundle for some applications in our company. We have set things up so as to use only one identity provider.
If you want to filter out some users at the time of authentication, the UserCreator->createUser()
function should never return null
. Contrary to the UserCreatorInterface
documentation, returning null
in the context of a delegated authentication will create a loop redirect between the identity provider and your Symfony application.
Since UserCreator->createUser()
is called in the context of a Symfony AuthenticationProviderInterface
, returning null
will throw an AuthenticationException
and Symfony is going to redirect the user to the login form. But the login form is located at the identity provider and it just told Symfony that the guy was a legitimate user. From there, the loop is created.
Therefore, your application should always trust the SSO service and create the user even if you don't like him.
But, if you still want to deny access to your application, you should just not give him any roles. Here is a modified UserCreator
class modified from the example in the Getting Started guide:
<?php
// src/AppBundle/Security/User/UserCreator.php
namespace AppBundle\Security\User;
use AppBundle\Entity\User;
use Doctrine\Common\Persistence\ObjectManager;
use LightSaml\Model\Protocol\Response;
use LightSaml\SpBundle\Security\User\UserCreatorInterface;
use LightSaml\SpBundle\Security\User\UsernameMapperInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class UserCreator implements UserCreatorInterface
{
/** @var ObjectManager */
private $objectManager;
/** @var UsernameMapperInterface */
private $usernameMapper;
/**
* @param ObjectManager $objectManager
* @param UsernameMapperInterface $usernameMapper
*/
public function __construct($objectManager, $usernameMapper)
{
$this->objectManager = $objectManager;
$this->usernameMapper = $usernameMapper;
}
/**
* @param Response $response
*
* @return UserInterface|null
*/
public function createUser(Response $response)
{
$username = $this->usernameMapper->getUsername($response);
$user = new User();
$user->setUsername($username);
if ($iWantUserIn)
{
$user->setRoles(['ROLE_USER']);
}
else
{
// I know User but I don't want him in right now.
// But one day, may be I can grant him some roles.
}
$this->objectManager->persist($user);
$this->objectManager->flush();
return $user;
}
}
Not sure if this is an issue. Perhaps this is more a subject for a cookbook?
I hope this will help.
Hi all!
I'm trying to integrate lightsaml with adfs, but here is the stack of the exception I have.
I think there is a problem with signature...
Hope it helps...
I'm using as dependencies:
"symfony/symfony": "2.7.*",
"lightsaml/sp-bundle": "^1.0"
Error: Call to a member function removeChild() on a non-object
500 Internal Server Error - FatalErrorException
Stack Trace (Plain Text) -
[1] Symfony\Component\Debug\Exception\FatalErrorException: Error: Call to a member function removeChild() on a non-object
at n/a
in /var/www/cnh_pbo-cms/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php line 489
at RobRichards\XMLSecLibs\XMLSecurityDSig->validateReference()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Model/XmlDSig/SignatureXmlReader.php line 76
at LightSaml\Model\XmlDSig\SignatureXmlReader->validate()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Model/XmlDSig/AbstractSignatureReader.php line 62
at LightSaml\Model\XmlDSig\AbstractSignatureReader->validateMulti()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Validator/Model/Signature/SignatureValidator.php line 58
at LightSaml\Validator\Model\Signature\SignatureValidator->validate()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Assertion/Inbound/AssertionSignatureValidatorAction.php line 56
at LightSaml\Action\Assertion\Inbound\AssertionSignatureValidatorAction->doExecute()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Assertion/AbstractAssertionAction.php line 39
at LightSaml\Action\Assertion\AbstractAssertionAction->execute()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/CompositeAction.php line 74
at LightSaml\Action\CompositeAction->execute()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/Inbound/Response/AssertionAction.php line 54
at LightSaml\Action\Profile\Inbound\Response\AssertionAction->doExecute()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/AbstractProfileAction.php line 41
at LightSaml\Action\Profile\AbstractProfileAction->execute()
in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/CompositeAction.php line 74
at LightSaml\Action\CompositeAction->execute()
in /var/www/cnh_pbo-cms/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Firewall/LightSamlSpListener.php line 67
at LightSaml\SpBundle\Security\Firewall\LightSamlSpListener->receiveSamlResponse()
in /var/www/cnh_pbo-cms/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Firewall/LightSamlSpListener.php line 50
at LightSaml\SpBundle\Security\Firewall\LightSamlSpListener->attemptAuthentication()
in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php line 146
at Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->handle()
in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 2574
at Symfony\Component\Security\Http\Firewall->onKernelRequest()
in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 61
at call_user_func()
in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 61
at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1834
at call_user_func()
in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1834
at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch()
in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1763
at Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php line 124
at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch()
in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3099
at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3072
at Symfony\Component\HttpKernel\HttpKernel->handle()
in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3223
at Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle()
in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 2442
at Symfony\Component\HttpKernel\Kernel->handle()
in /var/www/cnh_pbo-cms/web/app_dev.php line 28
at {main}()
in /var/www/cnh_pbo-cms/web/app_dev.php line 0
Hi
I'm trying to integrate SSO for my Symfony 2 application. Our app should act as Service Provider and the authentication should be handled from our Active Directory ADFS server.
I already installed the latest bundle "lightsaml/sp-bundle":"^1.1" and configured the required classes as per the instruction.
So far the application is already redirecting to the /saml/login and /saml/discovery and the page displays all the available IDP's.
But I'm just confused on how/what to set the configuration based from the information that was gaven to me from our IDP. BTW our IDP I think is ADFS 2.0
Our IDP provided the following
party:
idp:
files:
- "%kernel.root_dir%/../src/AppBundle/Security/LightSAML/federationmetadata.xml"
-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIQBLAHBLAHBLAH...
-----END CERTIFICATE-----
Entity ID URI - where should I set this in the config?
http://fs2.federation.net/adfs/services/trust
Login URL (For System Configuration)
https://fs2.federation.net/adfs/ls/idpinitiatedsignon.aspx
Login URL (Clickable, can be used for user login)
https://fs2.federation.net/adfs/ls/idpinitiatedsignon.aspx?logintorp=<YOUR-URN>
Logout URL
https://fs2.federation.net/adfs/ls/?wa=wsignout1.0
Now, they are also asking us to provide the following informations;
What federation protocol do you support? I choose "SAML 2.0" againts "WS-Federation".
Please list relying party Identifier’s. This may include a URN, URL or both.
What shoud I provide to them? Our application base URL?
Please list any Claims (assertion attributes) which you will require from us.
For example Email Address sent as NameID
Attribute | Set as
Thank You
I'm trying to configure this bundle, but I'm having the problem that when I try to login it ends up in an infinite redirection loop. I have my own Id Provider and I registered this installation as an SP with AssertionConsumerService as /saml/login_check and the SingleLogoutService as /logout.
Or there is a way to set up this bundle as my own IdP so that other service can authenticate against it.
Thanks for your help
Boolean should be compared strictly
src/LightSaml/SpBundle/Controller/DefaultController.php, line 46
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 103
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 107
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 151
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 159
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 173
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 179
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 232
https://travis-ci.org/lightSAML/SpBundle/jobs/173215520
$ php php-cs-fixer.phar fix --dry-run -v
HHVM needs to be a minimum version of HHVM 3.9.0
The command "php php-cs-fixer.phar fix --dry-run -v" exited with 1.
Hi,
Thanks for your bundle. I'm new in using SAML protocol and I don't understand how can I get the site metadata for IDP implementation ?
I'm not really understand what I should write in this config parameter(entity_id) ? The url of my website ?
entity_id: http://localhost/lightsaml/demosp
Can you help me ?
I don't know if it's the right place for making questions, sorry if not.
I have a Symfony application serving as a small content management system. I am able to log into the application perfectly when I have not previously signed into via another application. However, when I sign into another application first and then go into the symfony application I get the looping redirect which dies with a 500 error at /saml/login_check. I have tried many configurations and am aware of the various discussion threads and have also updated to the latest version of the bundle. Assistance with the issue is appreciated.
request.CRITICAL: Uncaught PHP Exception LightSaml\Error\LightSamlAuthenticationException: "Unsuccessful SAML response: urn:oasis:names:tc:SAML:2.0:status:Responder " at /var/www/faculty/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/Inbound/StatusResponse/StatusAction.php line 48 {"exception":"[object] (LightSaml\Error\LightSamlAuthenticationException(code: 0): Unsuccessful SAML response: urn:oasis:names:tc:SAML:2.0:status:Responder\n at /var/www/faculty/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/Inbound/StatusResponse/StatusAction.php:48)"} []
168.30.- - [31/May/2018:17:27:57 -0400] "POST /saml/login_check HTTP/1.1" 500 495
I have tried many variations of the security config. This just happens to be one currently in place:
main:
anonymous: ~
light_saml_sp:
provider: db_provider # user provider name configured in step 9
user_creator: user_creator # name of the user creator service created in step 10
login_path: /saml/login
check_path: /saml/login_check
default_target_path: /dashboard
force: true
logout:
path: /logout
I am happy to post other config or class information.
Fredrick
@tmilos In the old repository there was a PR for adding the checkPreAuth, is it possible to add this feature, because I think it would be necessary for extra security checks.
https://github.com/aerialship/SamlSPBundle/pull/44/files
By adding this check it's possible to add the default checks isAccountNonLocked, isEnabled & isAccountNonExpired by using the AdvancedUserInterface.
Should I create a PR for this (including the missing test)?
Thank you!
Hi, I 'm trying to define a custom user_checker by doing :
saml:
context: app
pattern: /saml(.*)
user_checker: my_custom_user_checker
...
But the user_checker is ignored and the default one is used which I don't want.
The only way i have found so far is to override the following service in my app :
security.authentication.provider.lightsaml_sp:
class: LightSaml\SpBundle\Security\Authentication\Provider\LightsSamlSpAuthenticationProvider
arguments:
- ~ # provider key
- ~ # user provider
- ~ # force
- "@my_custom_user_checker"
- "@lightsaml_sp.username_mapper.simple" # username mapper
- ~ # user creator
- "@lightsaml_sp.attribute_mapper.simple" # attribute mapper
- ~ # token factory
abstract: true
I m not sure if this is a bug or not but I think the bundle should take the 'user_checker' parameter (if given) instead of using the default one.
when i'm redirect to /saml/login_check
i have a error :
Invalid inbound message destination "http://xxxxx/saml/login_check"
Hi everyone,
is it possible to redirect the User to a different URL than the one he initially came from? Let's say User is on example.com/shop, clicked on example.com/login, get's redirected to my IDP and I want to redirect him back to example.com/shop after successfull login.
Edit: To clarify what I'd like to do:
When using simplesamlphp you can do something like that:
$auth->requireAuth(array( 'ReturnTo' => 'https://sp.example.org/mycustompath' ));
@tmilos Any Idea?
Thanks
Chris
Hello,
I am newbie in SAML, but i have a mission to use shibboleth as one of our service to authenticate users, sorry if this issue is duplicated with #20, but i have a serious trouble with this error when i received the response from the Idp.
Here are the metadata files if its could be a help.
sp:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://xxx.xxx.com">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lFM5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxbVYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaopYuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAfMB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODryXwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzTVob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVdXgSard8RfR3OyZlf6M4aSGQA73sskQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lFM5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxbVYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaopYuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAfMB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODryXwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzTVob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVdXgSard8RfR3OyZlf6M4aSGQA73sskQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService index="0" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxx.xxx.com"/>
</SPSSODescriptor>
</EntityDescriptor>
idp: https://shibboleth.csi.uvsq.fr/idp/shibboleth
It works with https://test.federation.renater.fr/idp/shibboleth, but not with this idp, i got "No credentials resolved for signature verification" every time.
I really do not understand how does it work, big thanks if you can give me some clue about this issue
I'm setting lightSAML SpBundle v1.2.0 (Symfony 2.8.44) for the first time and it seems to be partially working, but I'm having the following issue after getting my login_check redirection (IdP user exists and it does match user resolution):
Type error: Argument 1 passed to blah\Security\UsernameMapper::getUsername() must be an instance of LightSaml\Model\Protocol\Response, null given, called in blah/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php on line 188
The problem doesn't seem to come from the custom username mapper since the same thing happens with the default one.
Interesting fact that when the framework sets the token on the token storage, I have the response attribute there (vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php:209), but when it recovers from the session for unserializing, I get:
string(121)"C:68:"LightSaml\SpBundle\Security\Authentication\Token\SamlSpResponseToken":40:{a:4:{i:0;N;i:1;b:0;i:2;a:0:{}i:3;a:0:{}}}"
/home/wedesygn/Dev/webrand/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ContextListener.php:79
Where there is clearly no reference to the Response (or any other valuable information).
I couldn't find much more by debugging, so not sure if it's a configuration issue on my end or a legit bug.
Thanks either way!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.