Hi,
I configured SpBundle following the Getting Started tutorial. I got all routes working (login, discovery, metadata.xml, sessions), but when the IdP calls the login_check route POSTing the SAMLResponse, I get the following error:

Unable to find the controller for path "/saml/login_check". The route is wrongly configured.

The controller could not be found.
Did I miss something?

Thanks.

Since yesterday I get an error : "Unable to verify Signature" when using https://idp.testshib.org/idp/shibboleth.
I also have this error in demo project : https://github.com/lightSAML/DemoSP

came with an error below:

Catchable Fatal Error: Argument 1 passed to LightSaml\SpBundle\Security\Authentication\Token\SamlSpToken::__construct() must be of the type array, null given,

When I checked the token created in SamlSpTokenFactory, didn't create the roles while that could not be null in SamlSpToken->__construct. Could anyone help me with this?

in vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Token/SamlSpToken.php (line 27)
SamlSpToken->__construct(null, 'main', array('username' => 'johndoe', 'email' => '[email protected]'), object(User))
in vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Token/SamlSpTokenFactory.php (line 34)
$token = new SamlSpToken( $user instanceof UserInterface ? $user->getRoles() : [], $providerKey, $attributes, $user ); return $token; }}
SamlSpTokenFactory->create('main', array('username' => 'johndoe', 'email' => '[email protected]'), object(User), object(SamlSpResponseToken))
in vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php (line 137)
$result = $this->tokenFactory->create( $this->providerKey, $attributes, $user, $token ); } else { $result = new SamlSpToken( $user instanceof UserInterface ? $user->getRoles() : [], $this->providerKey, $attributes,

Hi,

I am implementing sp-bundle in Symfony 2.3 project. It appears that this function was implemented in Symfony 2.6. Can you help?

FatalErrorException: Error: Call to undefined method LightSaml\SpBundle\Controller\DefaultController::redirectToRoute() in C:\DATA\Projects\PHP\Symfony2\Symfony2-LightSAML-SP\vendor\lightsaml\sp-bundle\src\LightSaml\SpBundle\Controller\DefaultController.php line 47

Our application is behind a load balancer running on port 80. The SSL certificate is at load balancer running at port 443. When we generate the metadata the ACS URL is http. We needed https. If we forced change the ACS URL in ADFS to https, then we encountered the below issue in fig. 1.

We found that there is some setting related to absolute URL. Please see fig 2.

We tried to set the router scheme to https as mentioned here http://symfony.com/doc/2.7/cookbook/console/request_context.html#configuring-the-request-context-globally but it is not working.

We need your help on this matter.

Thank you.

Hi !

I struggling in adding an RequestedAuthnContext node to an AuthnRequest xml request

expected result

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_3032e287176d383ac6efa999f8e58775222efff3" Version="2.0" IssueInstant="2018-05-24T15:12:48Z" Destination="https://example.comsaml2sso" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://example.com/?acs">
   <saml:Issuer>example.com</saml:Issuer>
   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" />
   <samlp:RequestedAuthnContext Comparison="Minimum">
      <saml:AuthnContextClassRef>urn:example:saml:auth-level:1.0:low</saml:AuthnContextClassRef>
   </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

is there a proper way to achieve this ?

I can't find any way to handle it without creating a new LightSaml\Model\Protocol\SamlMessage, overriding the whole workflow which creates LightSaml\Model\Protocol\AuthnRequest and add my freshly created node.

Thanks in advance

PS : Sorry if the issue is not in the right repository.

Hi,

I am having some difficulty while implementation. If I don't provide user_creator service and user authenticated successfully, the system stuck in loop keep redirecting to IdP and IdP keep sending back to SP. I think this is because the user not authorized so token not generated so SP send to IdP but user is authenticated so IdP send back user to SP.

I remember I had a similar issue in SamlSPBundle and I overcome this by setting user role to something which is not in system. This stops the user at SP with 403 error as user is not authorized. I unable to do same here unless I have to override authenticate function in LightsSamlSpAuthenticationProvider.

Is there some better way to handle this case without overriding? I am avoiding this as it is hard to maintain for subsequent updates. Thanks

Hi @tmilos
My application is working good in local environment.
I set up the app in "dev" environment, the dev server is behind a load balancer.
When I try to access to a private page under "saml firewall", I'm redirected to the right login form, I put my ids but when I'm redirected to "login_check" route, I have an error:

An exception occurred while executing 'INSERT INTO user_saml (username, roles) VALUES (?, ?)' with params [null, "["ROLE_USER"]"]:
SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'username' cannot be null

It seems that, for a reason I don't know, the username is not getting back.

Can it be a problem with load balancing ? Is there a configuration I can make from app side ?

I've already set this instruction in my /web/app.php file:

Request::setTrustedProxies(array($_SERVER['REMOTE_ADDR']));

Thanks for your help.

I can't see an obvious way in the Saml 2.0 documentation or your implementation LightSaml\Model\Protocol\AuthnRequest of a way to send arbitrary values to the Identity Provider.

I am using LightSaml\Builder\Profile\WebBrowserSso\Sp\SsoSpSendAuthnRequestProfileBuilder in your login.php example.

Is there a way of sending arbitrary values to the Identity Provider in the AuthnRequest?

I see in the saml 2 schema there is an "samlp:Extensions" node that can be added to AuthnRequests and I believe any Saml Message, Simple Saml has an implementation of this FYI.

Hello,

The OpenIdP has been shut down. It is no longer possible to use it to test your SAML Service Provider. If you were using it for that purpose, you will need to look for alternatives.

Do you know any possible solution to test the saml SP?

Hi Milos,

First of all, thanks for the big effort you've put in lightSAML. I am trying to migrate from aerialship/lightsaml in Symfony but have trouble getting our current setup to work properly.

The thing is that validating the SAML response signature is not working, because the resolver(s) won't find any credentials matching the issuer (LightSamlSpListener ->receiveSamlResponse). Looking through the code, I notice that only own credentials are build/stored (SP) and it's looking for credentials stored for the issuer (IdP) to validate the signature.

Any idea what I am missing here?

Regards,

Jasper

1. I can't find how to specify in metadata.xml what attributes my SP requires from IdP.

   When I add my SP metadata xml to my https://samlidp.io/ IdP, I get this message

   

   It works only when email switch is ON, otherwise I get null in

   // UserCreatorInterface
   $this->usernameMapper->getUsername($response)

2. How to make AttributeQuery? As I understand this is not implemented?

   On user login (on AuthnRequest Response) I want to make an AttributeQuery and abort login process if IdP doesn't provide the required attributes (for example email, First Name, Last Name).

P.S. This bundle is a big machinery for me, so sorry if this question is too obvious for you. I have spent almost a week inspecting it and still no clear vision about its internals.

I am setting this bundle up in my Symfony 3.0.1 application. I followed the setup document exactly and installed my vendor's IDP configuration (I'm using OKTA). When I goto the login page, I'm redirected to OKTA which is great. When I login there I'm redirected back to my site (/saml/login) and several errors are generated. It then proceeds to redirect from back and forth constantly.

Can you point me in the direction of the problem?

Undefined index: http_request
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: own_entity
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":62,"level":28928,"scream":true}

Undefined index: party_entity
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: endpoint
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: inbound_message
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: outbound_message
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":100,"level":28928,"scream":true}

Undefined index: serialization
Context: { "name": "E_NOTICE", "type":8,"file": "vendor/lightsaml/lightsaml/src/LightSaml/Context/AbstractContext.php", "line":62,"level":28928,"scream":true}

I keep getting the following error.
"Unable to find the controller for path "/saml/login_check". The route is wrongly configured."
I imported the routes, I have no problem with /saml/discovery and /saml/login (redirects me to /saml/discovery)

What am I missing?

https://github.com/lightSAML/lightSAML/blob/d0253368b7eba88e867545ab3590cbcc7fa8b04d/src/LightSaml/Action/Profile/Outbound/Message/CreateMessageIssuerAction.php#L36

Starting with Symfony 4, services are marked private per default, which means that you cannot get services by calling $container->get('service.name') anymore. Doing so leads to a ServiceNotFoundException.

Unfortunately, this bundle makes use of $container->get() to get LightSAML services. Thus, they need to be either marked public (easy solution) or injected using DI (this is the recommended solution).

Note: this issue affects both SpBundle and SymfonyBridgeBundle 😉

Hi,

I am facing issue while downloading package via composer. I am using command composer require "lightsaml/sp-bundle" but it is showing following error. Appreciate help on this.

[InvalidArgumentException]
Could not find package lightsaml/sp-bundle at any version for your minimum-stability (stable). Check the package spelling or your minimum-stability

Hello, my implemented SAML flow suddenly stopped working with the following Error message:

Uncaught PHP Exception LightSaml\Error\LightSamlSecurityException: "Algorithm mismatch between input key and key used to encrypt the symmetric key for the message. Input key algo is: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'. Message key algo is 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'"

What is in this context the "input key" and what is the "message key"?

• Does it mean that the ADFS Server returns a message that is encrypted with rsa-oaep-mgf1p,
  but the key I created is encrypted with rsa-sha256?

Because I did not change anything on my side, I assume that the ADFS settings were changed by someone. Is this the right conclusion for this case?

Any help would be appreciated, Thx. :-)

hi,
i have a legacy application that works with simplesamlphp but i'm trying to make it work inside symfony framework. I looked at the documentation but i didn't find a section in which is described well the location of the simplesamlphp config directory.
For example in my application i use simplesaml/configuration.php for telling to the app who is the IDP.
Where I have to put these files inside the symfony framework directories?

THX

I was wondering if it is possible to merge the attributes from the SamlSpToken back into the user object.
In my perticular use case I want to update the user roles provided by the IdP in the database after a successful login.

Edit: As a workaround I have not specified the "provider" option in the firewall config. This way the user_creator service is always used after a succesful login. This feels like a hack though.

Hello,

First of all, thank you for this beautiful library.

I have a Symfony app working with an Azure AD. The authenfication works in production, I set the entity_id as my web site domain, the response url to my_domain/saml/login_check and everything is fine.
The problem is that the authentification doesn't work when I authenticate to Azure AD from localhost, I get the error in the title.
I think that the problem is when the prod server gets the response from the Azure AD after my local authentification, the prod server dosen't recognize my local server, and pops the error.

Is there a way to make my authentification work from local and production at the same time ?

Thanks !

hi all,

i go to /saml/login
i'm redirect to /saml/discovery, i choose my IDP
i'm redirect to /saml/login?idp=<url_ipd>
and i show

Unable to generate a URL for the named route "lightsaml.login_check" 

please, help me ?

See https://github.com/symfony/symfony/blob/master/UPGRADE-4.1.md#frameworkbundle

We must fix controller references in https://github.com/lightSAML/SpBundle/blob/master/src/LightSaml/SpBundle/Resources/config/routing.yml

Hi, I am running into an issue with setting up Authentication in Symfony 2.8 with Saml plugin (https://www.lightsaml.com/SP-Bundle/Getting-started/).
Problem:
I want to able to login via SAML and via going to admin page. The /admin/login page works fine, I see the user authenticated from the database. However, when I try to go through the Saml process, I always land on the /discovery page. When I see the logs, I do see the user is authenticated, but the page is redirected to discovery page. So, I think I have something not correctly configured in the security settings. Please let me know if you can help.

Here are the settings from
config/security.yml file:

firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        login_firewall:
            pattern: ^/saml/login$
            anonymous: ~
        discovery_firewall:
            pattern: ^/saml/discovery$
            anonymous: ~

        secured_area:
            pattern:   ^/
            anonymous: ~
            light_saml_sp:
                provider: db_provider    # user provider name configured in step 9
                #user_creator: user_creator  # name of the user creator service created in step 10
                login_path: /saml/login
                check_path: /saml/login_check
                default_target_path: /profile

            form_login:
                login_path: /admin/login
                check_path: /admin/login_check
                default_target_path: /
                remember_me: true
            logout:
                path:   /logout
                target: /


            # activate different ways to authenticate

            # http_basic: ~
            # http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate

            # form_login: ~
            # http://symfony.com/doc/current/cookbook/security/form_login_setup.html

    access_control:
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }        
        - { path: ^/profile, roles: ROLE_USER }

Since I use this bundle (which is working fine), switch_user is not working, I got an error ERR_TOO_MANY_REDIRECTS.

My configuration :

firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        secured_area:
            switch_user: true
            light_saml_sp:
                provider: db_provider       
                login_path: /saml/login
                check_path: /saml/login_check
                failure_handler: auth_fail
                success_handler: login_handler
            logout:
                path: lightsaml_sp.logout
                target: /
                invalidate_session: false
            anonymous: ~

Hi guys,

I am working with your component and I have a specific necessity.

I want to use an SSO service with your package, but I also want to use the in_memory default symfony solution as a fallback.

I tried to use a chained provider and also tried to specify the fallback like this:

my_firewall:
          pattern:  ^/saml
          security: true
          light_saml_sp:
              provider: my_saml_user_provider
              user_creator: my_saml_user_factory
              login_path: /login
              check_path: /saml/login_check
              always_use_default_target_path: true
              default_target_path: /admin
              require_previous_session: false
          logout:
              path: /logout
          http_basic:
              realm: "Access denied"
              provider: in_memory

It doesn't work, I just continue being redirected to the login page. How can I make it trigger the in_memory provider as a fallback? Thanks

When the Symfony firewall intercepts a request and redirects the user to the IDP for authentication, the RelayState is not included in the redirect to the IDP. Consequently, when the user is returned from the IDP, they end up on the home page of the Symfony application, rather than the page they were attempting to access.

Is this supported? If so, is this a configuration option that I have not included?

Hi,
I'm trying to move some projects from AerialShip SamlSpBundle to lightSaml SpBundle and I'm facing some issues.
For an application acting as an SP, I was using an entity descriptor provider for the IdP declaration. But the new symfony bridge configuration seems to only allow static xml files.
Is there a way to configure a service implementing the EntityDescriptorProviderInterface somewhere?

Hi

I have integrated the sp bundle with an simplesamlphp server, which works great.

Is there a way to logout from application and from IDP the same time? After logging out successfully, and re-accessing a secured resource. It just gets a valid session from the simplesamlphp server without asking for credentials.

Regards

Hi.

This issue might be for the core part of lightSAML and not the SpBundle.

We integrate against an ADFS that uses rolling switchover when their certificates expire.
I would expect that I were able to use multiple certificates in the IDP XML like

        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>{certificate1}</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>{certificate2}</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>{certificate2}</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>

But I get the following error when verifying the response.

Call to a member function removeChild() on null

in vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php at line 489

        {
            $docElem = $this->sigNode->ownerDocument->documentElement;
            if (! $docElem->isSameNode($this->sigNode)) {
                $this->sigNode->parentNode->removeChild($this->sigNode);
            }

As I read the description on saml2 http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.html multiple KeyDescriptor should be valid.

The inclusion of multiple elements with the same use attribute (or no such attribute) indicates that any of the included keys may be used by the containing role or affiliation. A relying party SHOULD allow for the use of any of the included keys. When possible the signing or encrypting party SHOULD indicate as specifically as possible which key it used to enable more efficient processing.

Thanks.

I get

Unknown InResponseTo '_68b93e494c86295ff7d21d274486ab489b429f17ed'

because id store doesn't save any id. Should I save the id manually on login action? (I have overwritten the DefaultController in a child bundle)

P.S. I don't know why, this bundle is VERY HARD to work with. The documentation is poor and the architecture is complicated. I usually spend 1-3 hours in order to find how one parameter is used, why I get an error. Sorry, I've found architecture description

Symfony has it's own security component splitted into separate repos:

https://github.com/symfony?utf8=%E2%9C%93&q=security&type=&language=

It might be useful for people using only the component, but not the framework to use your security component integration (but not the rest of the bundle).

Hi, I have an error when I install this bundle, when I run this $ composer.phar require lightsaml/sp-bundle, then appears this error

The child node "own" at path "light_saml_symfony_bridge" must be configured.

What can I do?

Thanks in advance

I'm having problems providing both a SAML based login and a traditional login form. The SpBundle keeps redirecting to the IdP. Can you suggest a way to have both of these working together?

Regards,

Hi,

I am working on the integration of lightSAMLSpBundle for some applications in our company. We have set things up so as to use only one identity provider.

If you want to filter out some users at the time of authentication, the UserCreator->createUser() function should never return null. Contrary to the UserCreatorInterface documentation, returning null in the context of a delegated authentication will create a loop redirect between the identity provider and your Symfony application.

Since UserCreator->createUser() is called in the context of a Symfony AuthenticationProviderInterface, returning null will throw an AuthenticationException and Symfony is going to redirect the user to the login form. But the login form is located at the identity provider and it just told Symfony that the guy was a legitimate user. From there, the loop is created.

Therefore, your application should always trust the SSO service and create the user even if you don't like him.

But, if you still want to deny access to your application, you should just not give him any roles. Here is a modified UserCreator class modified from the example in the Getting Started guide:

<?php
// src/AppBundle/Security/User/UserCreator.php
namespace AppBundle\Security\User;

use AppBundle\Entity\User;
use Doctrine\Common\Persistence\ObjectManager;
use LightSaml\Model\Protocol\Response;
use LightSaml\SpBundle\Security\User\UserCreatorInterface;
use LightSaml\SpBundle\Security\User\UsernameMapperInterface;
use Symfony\Component\Security\Core\User\UserInterface;

class UserCreator implements UserCreatorInterface
{
    /** @var ObjectManager */
    private $objectManager;

    /** @var UsernameMapperInterface */
    private $usernameMapper;

    /**
     * @param ObjectManager           $objectManager
     * @param UsernameMapperInterface $usernameMapper
     */
    public function __construct($objectManager, $usernameMapper)
    {
        $this->objectManager = $objectManager;
        $this->usernameMapper = $usernameMapper;
    }

    /**
     * @param Response $response
     *
     * @return UserInterface|null
     */
    public function createUser(Response $response)
    {
        $username = $this->usernameMapper->getUsername($response);

        $user = new User();

        $user->setUsername($username);

        if ($iWantUserIn)
        {
            $user->setRoles(['ROLE_USER']);
        }
        else
        {
            // I know User but I don't want him in right now. 
            // But one day, may be I can grant him some roles.
        }

        $this->objectManager->persist($user);
        $this->objectManager->flush();

        return $user;
    }
}

Not sure if this is an issue. Perhaps this is more a subject for a cookbook?

I hope this will help.

Hi all!
I'm trying to integrate lightsaml with adfs, but here is the stack of the exception I have.
I think there is a problem with signature...
Hope it helps...

I'm using as dependencies:
"symfony/symfony": "2.7.*",
"lightsaml/sp-bundle": "^1.0"

Error: Call to a member function removeChild() on a non-object
500 Internal Server Error - FatalErrorException

Stack Trace (Plain Text)   -
[1] Symfony\Component\Debug\Exception\FatalErrorException: Error: Call to a member function removeChild() on a non-object
    at n/a
        in /var/www/cnh_pbo-cms/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php line 489

    at RobRichards\XMLSecLibs\XMLSecurityDSig->validateReference()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Model/XmlDSig/SignatureXmlReader.php line 76

    at LightSaml\Model\XmlDSig\SignatureXmlReader->validate()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Model/XmlDSig/AbstractSignatureReader.php line 62

    at LightSaml\Model\XmlDSig\AbstractSignatureReader->validateMulti()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Validator/Model/Signature/SignatureValidator.php line 58

    at LightSaml\Validator\Model\Signature\SignatureValidator->validate()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Assertion/Inbound/AssertionSignatureValidatorAction.php line 56

    at LightSaml\Action\Assertion\Inbound\AssertionSignatureValidatorAction->doExecute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Assertion/AbstractAssertionAction.php line 39

    at LightSaml\Action\Assertion\AbstractAssertionAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/CompositeAction.php line 74

    at LightSaml\Action\CompositeAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/Inbound/Response/AssertionAction.php line 54

    at LightSaml\Action\Profile\Inbound\Response\AssertionAction->doExecute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/AbstractProfileAction.php line 41

    at LightSaml\Action\Profile\AbstractProfileAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/CompositeAction.php line 74

    at LightSaml\Action\CompositeAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Firewall/LightSamlSpListener.php line 67

    at LightSaml\SpBundle\Security\Firewall\LightSamlSpListener->receiveSamlResponse()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Firewall/LightSamlSpListener.php line 50

    at LightSaml\SpBundle\Security\Firewall\LightSamlSpListener->attemptAuthentication()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php line 146

    at Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->handle()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 2574

    at Symfony\Component\Security\Http\Firewall->onKernelRequest()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 61

    at call_user_func()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 61

    at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1834

    at call_user_func()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1834

    at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1763

    at Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php line 124

    at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3099

    at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3072

    at Symfony\Component\HttpKernel\HttpKernel->handle()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3223

    at Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 2442

    at Symfony\Component\HttpKernel\Kernel->handle()
        in /var/www/cnh_pbo-cms/web/app_dev.php line 28

    at {main}()
        in /var/www/cnh_pbo-cms/web/app_dev.php line 0

Hi

I'm trying to integrate SSO for my Symfony 2 application. Our app should act as Service Provider and the authentication should be handled from our Active Directory ADFS server.

I already installed the latest bundle "lightsaml/sp-bundle":"^1.1" and configured the required classes as per the instruction.

So far the application is already redirecting to the /saml/login and /saml/discovery and the page displays all the available IDP's.

But I'm just confused on how/what to set the configuration based from the information that was gaven to me from our IDP. BTW our IDP I think is ADFS 2.0

Our IDP provided the following

• Federation Metadata xml - which I downloaded and path it in the idp party config as follows;

    party:
        idp:
            files:
                - "%kernel.root_dir%/../src/AppBundle/Security/LightSAML/federationmetadata.xml"

• Token signing certificate - where shoud I set use this in the config?

-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIQBLAHBLAHBLAH...
-----END CERTIFICATE-----

• Entity ID URI - where should I set this in the config?
  http://fs2.federation.net/adfs/services/trust

• Login URL (For System Configuration)
  https://fs2.federation.net/adfs/ls/idpinitiatedsignon.aspx

• Login URL (Clickable, can be used for user login)
  https://fs2.federation.net/adfs/ls/idpinitiatedsignon.aspx?logintorp=<YOUR-URN>

• Logout URL
  https://fs2.federation.net/adfs/ls/?wa=wsignout1.0

Now, they are also asking us to provide the following informations;

• What federation protocol do you support? I choose "SAML 2.0" againts "WS-Federation".

• Please list relying party Identifier’s. This may include a URN, URL or both.
  What shoud I provide to them? Our application base URL?

• Please list any Claims (assertion attributes) which you will require from us.
  For example Email Address sent as NameID

  Attribute | Set as

Thank You

I'm trying to configure this bundle, but I'm having the problem that when I try to login it ends up in an infinite redirection loop. I have my own Id Provider and I registered this installation as an SP with AssertionConsumerService as /saml/login_check and the SingleLogoutService as /logout.

Or there is a way to set up this bundle as my own IdP so that other service can authenticate against it.

Thanks for your help

Boolean should be compared strictly

src/LightSaml/SpBundle/Controller/DefaultController.php, line 46
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 103
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 107
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 151
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 159
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 173
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 179
src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php, line 232

https://travis-ci.org/lightSAML/SpBundle/jobs/173215520

$ php php-cs-fixer.phar fix --dry-run -v
HHVM needs to be a minimum version of HHVM 3.9.0
The command "php php-cs-fixer.phar fix --dry-run -v" exited with 1.

Hi,

Thanks for your bundle. I'm new in using SAML protocol and I don't understand how can I get the site metadata for IDP implementation ?

I'm not really understand what I should write in this config parameter(entity_id) ? The url of my website ?

entity_id: http://localhost/lightsaml/demosp

Can you help me ?

I don't know if it's the right place for making questions, sorry if not.

I have a Symfony application serving as a small content management system. I am able to log into the application perfectly when I have not previously signed into via another application. However, when I sign into another application first and then go into the symfony application I get the looping redirect which dies with a 500 error at /saml/login_check. I have tried many configurations and am aware of the various discussion threads and have also updated to the latest version of the bundle. Assistance with the issue is appreciated.

request.CRITICAL: Uncaught PHP Exception LightSaml\Error\LightSamlAuthenticationException: "Unsuccessful SAML response: urn:oasis:names:tc:SAML:2.0:status:Responder " at /var/www/faculty/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/Inbound/StatusResponse/StatusAction.php line 48 {"exception":"[object] (LightSaml\Error\LightSamlAuthenticationException(code: 0): Unsuccessful SAML response: urn:oasis:names:tc:SAML:2.0:status:Responder\n at /var/www/faculty/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/Inbound/StatusResponse/StatusAction.php:48)"} []

168.30.- - [31/May/2018:17:27:57 -0400] "POST /saml/login_check HTTP/1.1" 500 495

I have tried many variations of the security config. This just happens to be one currently in place:

    main:
        anonymous: ~
        light_saml_sp:
            provider: db_provider       # user provider name configured in step 9
            user_creator: user_creator  # name of the user creator service created in step 10
            login_path: /saml/login
            check_path: /saml/login_check
            default_target_path: /dashboard
            force: true
        logout:
            path: /logout

I am happy to post other config or class information.

Fredrick

@tmilos In the old repository there was a PR for adding the checkPreAuth, is it possible to add this feature, because I think it would be necessary for extra security checks.
https://github.com/aerialship/SamlSPBundle/pull/44/files

By adding this check it's possible to add the default checks isAccountNonLocked, isEnabled & isAccountNonExpired by using the AdvancedUserInterface.

Should I create a PR for this (including the missing test)?

Thank you!

Hi, I 'm trying to define a custom user_checker by doing :

saml:
            context: app
            pattern:             /saml(.*)
            user_checker: my_custom_user_checker
            ...

But the user_checker is ignored and the default one is used which I don't want.

The only way i have found so far is to override the following service in my app :

security.authentication.provider.lightsaml_sp:
        class: LightSaml\SpBundle\Security\Authentication\Provider\LightsSamlSpAuthenticationProvider
        arguments:
            - ~ # provider key
            - ~ # user provider
            - ~ # force
            - "@my_custom_user_checker"
            - "@lightsaml_sp.username_mapper.simple" # username mapper
            - ~ # user creator
            - "@lightsaml_sp.attribute_mapper.simple" # attribute mapper
            - ~ # token factory
        abstract: true

I m not sure if this is a bug or not but I think the bundle should take the 'user_checker' parameter (if given) instead of using the default one.

when i'm redirect to /saml/login_check

i have a error :

Invalid inbound message destination "http://xxxxx/saml/login_check"

Hi everyone,
is it possible to redirect the User to a different URL than the one he initially came from? Let's say User is on example.com/shop, clicked on example.com/login, get's redirected to my IDP and I want to redirect him back to example.com/shop after successfull login.

Edit: To clarify what I'd like to do:
When using simplesamlphp you can do something like that:

$auth->requireAuth(array( 'ReturnTo' => 'https://sp.example.org/mycustompath' ));
@tmilos Any Idea?

Thanks
Chris

Edit: Question on stackoverflow

Hello,

I am newbie in SAML, but i have a mission to use shibboleth as one of our service to authenticate users, sorry if this issue is duplicated with #20, but i have a serious trouble with this error when i received the response from the Idp.

Here are the metadata files if its could be a help.
sp:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://xxx.xxx.com">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lFM5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxbVYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaopYuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAfMB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODryXwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzTVob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVdXgSard8RfR3OyZlf6M4aSGQA73sskQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAsMSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lFM5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxbVYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaopYuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAfMB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODryXwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzTVob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVdXgSard8RfR3OyZlf6M4aSGQA73sskQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService index="0" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxx.xxx.com"/>
</SPSSODescriptor>
</EntityDescriptor>

idp: https://shibboleth.csi.uvsq.fr/idp/shibboleth

It works with https://test.federation.renater.fr/idp/shibboleth, but not with this idp, i got "No credentials resolved for signature verification" every time.
I really do not understand how does it work, big thanks if you can give me some clue about this issue

I'm setting lightSAML SpBundle v1.2.0 (Symfony 2.8.44) for the first time and it seems to be partially working, but I'm having the following issue after getting my login_check redirection (IdP user exists and it does match user resolution):

Type error: Argument 1 passed to blah\Security\UsernameMapper::getUsername() must be an instance of LightSaml\Model\Protocol\Response, null given, called in blah/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Authentication/Provider/LightsSamlSpAuthenticationProvider.php on line 188

The problem doesn't seem to come from the custom username mapper since the same thing happens with the default one.

Interesting fact that when the framework sets the token on the token storage, I have the response attribute there (vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php:209), but when it recovers from the session for unserializing, I get:

string(121)"C:68:"LightSaml\SpBundle\Security\Authentication\Token\SamlSpResponseToken":40:{a:4:{i:0;N;i:1;b:0;i:2;a:0:{}i:3;a:0:{}}}"
/home/wedesygn/Dev/webrand/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ContextListener.php:79

Where there is clearly no reference to the Response (or any other valuable information).
I couldn't find much more by debugging, so not sure if it's a configuration issue on my end or a legit bug.
Thanks either way!