Comments (16)
Hi @jhonnynho
As I wrote, I created a class in my application that extends LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder
.
This class contains the getSpSsoDescriptor()
function that overrides the parent function with my custom behaviour.
It looks like this (you'll probably want to adapt the namespace):
// Service/AppEntityDescriptor.php
<?php
namespace AppBundle\Service;
use LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder;
use LightSaml\Model\Metadata\AssertionConsumerService;
use LightSaml\Model\Metadata\KeyDescriptor;
use LightSaml\Model\Metadata\SpSsoDescriptor;
use LightSaml\SamlConstants;
use LightSaml\Credential\X509Certificate;
/**
* Class AppEntityDescriptor
*
* @package AppBundle\Service
*/
class AppEntityDescriptor extends SimpleEntityDescriptorBuilder
{
/** @var array|string */
protected $acsUrl;
/**
* @param string $entityId
* @param array|string $acsUrl
* @param string $ssoUrl
* @param string $ownCertificate
* @param string[] $acsBindings
* @param string[] $ssoBindings
* @param string[]|null $use
*/
public function __construct(
$entityId,
$acsUrl,
$ssoUrl,
$ownCertificate,
array $acsBindings = array(SamlConstants::BINDING_SAML2_HTTP_POST),
array $ssoBindings = array(SamlConstants::BINDING_SAML2_HTTP_POST, SamlConstants::BINDING_SAML2_HTTP_REDIRECT),
$use = array(KeyDescriptor::USE_ENCRYPTION, KeyDescriptor::USE_SIGNING)
) {
$certificate = $ownCertificate;
if (!$ownCertificate instanceof X509Certificate) {
$certificate = new X509Certificate();
$certificate->loadFromFile($ownCertificate);
}
parent::__construct($entityId, $acsUrl, $ssoUrl, $certificate, $acsBindings, $use);
}
/**
* @return SpSsoDescriptor|null
*/
protected function getSpSsoDescriptor()
{
if (null === $this->acsUrl) {
return null;
}
$spSso = new SpSsoDescriptor();
foreach ($this->acsBindings as $index => $binding) {
// On ajoute toutes les url autorisées pour le service
if (is_array($this->acsUrl)) {
foreach ($this->acsUrl as $acsUrl) {
$acs = new AssertionConsumerService();
$acs->setIndex($index)->setLocation($acsUrl)->setBinding($binding);
$spSso->addAssertionConsumerService($acs);
}
}
else
{
$acs = new AssertionConsumerService();
$acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($binding);
$spSso->addAssertionConsumerService($acs);
}
}
$this->addKeyDescriptors($spSso);
return $spSso;
}
}
And in my services.yml
:
app_entity_descriptor:
class: AppBundle\Service\AppEntityDescriptor
arguments:
- "%entity_id%"
- ["http://local.domain/saml/login_check", "https://public.domain/saml/login_check"]
- "https://sso.server/saml2/idp/SSOService.php"
- "%kernel.root_dir%/config/cert/saml.crt"
Finally, I add the service to LightSaml configuration in app/config/config.yml
light_saml_symfony_bridge:
own:
entity_id: "https://your.entity.id" # required
entity_descriptor_provider:
id: app_entity_descriptor
I hope this helps.
from spbundle.
light_saml_symfony_bridge:
own:
entity_id: https://your.entity.id # required
entity_descriptor_provider:
id: app_entity_descriptor
As here
https://www.lightsaml.com/Symfony-Bridge/Configuration/
from spbundle.
Ey @ChMat and @tmilos I did this steps but now I'm having this
Unknown InResponseTo '_77ce4c02e5bedb405c4ca19289f80a8a2967db504f'
My SSO system is on SimpleSAMLPHP.
I don't know what can I do. I have Symfony 4, and this is my configuration:
light_saml_symfony_bridge:
own:
entity_id: https://gateway.com/saml/
entity_descriptor_provider:
id: app_entity_descriptor
credentials:
-
certificate: "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.crt"
key: "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.key"
password: ~
party:
idp:
files:
- "%kernel.root_dir%/../src/Idp/idp.xml"
# - "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/openidp.feide.no.xml"
store:
id_state: id_store
security.yaml
main:
anonymous: ~
light_saml_sp:
provider: db_provider # user provider name configured in step 9
user_creator: user_creator # name of the user creator service created in step 10
login_path: /saml/login
check_path: /saml/login_check
default_target_path: /
require_previous_session: true
logout:
path: /logout
services.yaml
app_entity_descriptor:
class: App\Services\AppEntityDescriptor
arguments:
- "%entity_id%"
- ["%secure_login_check%", "%unsecure_login_check%"]
- "%saml_sso_service%"
- "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.crt"
from spbundle.
Thanks @tmilos for the information. It helped me solve the issue.
I implemented a custom service extending
LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder
.I replaced the $acsUrl __construct() parameter to an array.
So when I declare the service, the corresponding argument will be an array containing the login_check url from behind the proxy (http and .local url in my case) and from the rest of the world, like this:
["http://mysite.local/saml/login_check", "https://mysite.com/saml/login_check"]
And I changed the
getSpSsoDescriptor()
function as follows:/** * @return SpSsoDescriptor|null */ protected function getSpSsoDescriptor() { if (null === $this->acsUrl) { return null; } $spSso = new SpSsoDescriptor(); foreach ($this->acsBindings as $index => $biding) { if (is_array($this->acsUrl)) { foreach ($this->acsUrl as $acsUrl) { $acs = new AssertionConsumerService(); $acs->setIndex($index)->setLocation($acsUrl)->setBinding($biding); $spSso->addAssertionConsumerService($acs); } } else { $acs = new AssertionConsumerService(); $acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($biding); $spSso->addAssertionConsumerService($acs); } } $this->addKeyDescriptors($spSso); return $spSso; }
This worked for me, I hope this will help.
Thanks @ChMat It works like a charm!
from spbundle.
Hi @guiyomh
I have the same issue here. My app is behind a proxy. The proxy handles the certificate, so the route for login_check is not the right one.
In short, the login_check route from the outside is https://publicdomain.com/saml/login_check. And once it passes the proxy, it becomes http://insidedomain.local/saml/login_check.
I think the way should be to tell SpBundle to trust http://insidedomain.local/saml/login_check.
Is your issue the same as mine? Did you find a solution?
from spbundle.
It means that in your own EntityDescriptor
there are no AssertionConsumerService
endpoints with such Location
. If you're behind a proxy, your metadata must state the public url, and IDP must return Response
with public url destination, so AbstractDestinationValidatorAction
will be able to find that url from the Reponse
in your own EntityDescriptor
.
Provide your own metadata xml, sent AuthnRequest, and received Response, and we can compare the values and see what is wrong.
from spbundle.
Thanks @tmilos for the information. It helped me solve the issue.
I implemented a custom service extending LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder
.
I replaced the $acsUrl __construct() parameter to an array.
So when I declare the service, the corresponding argument will be an array containing the login_check url from behind the proxy (http and .local url in my case) and from the rest of the world, like this:
["http://mysite.local/saml/login_check", "https://mysite.com/saml/login_check"]
And I changed the getSpSsoDescriptor()
function as follows:
/**
* @return SpSsoDescriptor|null
*/
protected function getSpSsoDescriptor()
{
if (null === $this->acsUrl) {
return null;
}
$spSso = new SpSsoDescriptor();
foreach ($this->acsBindings as $index => $biding) {
if (is_array($this->acsUrl)) {
foreach ($this->acsUrl as $acsUrl) {
$acs = new AssertionConsumerService();
$acs->setIndex($index)->setLocation($acsUrl)->setBinding($biding);
$spSso->addAssertionConsumerService($acs);
}
}
else
{
$acs = new AssertionConsumerService();
$acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($biding);
$spSso->addAssertionConsumerService($acs);
}
}
$this->addKeyDescriptors($spSso);
return $spSso;
}
This worked for me, I hope this will help.
from spbundle.
Hi @ChMat I'm having the same trouble as you had, I'm wondering to know if you changed that function on SimpleEntityDescriptorBuilder file on the vendor directory? If not, how did you do?
Thanks!
from spbundle.
Thank you @ChMat , I'm going to test it, but I have a doubt, did you edit something else? I mean on the security.yaml or in the ligh_saml_symfony_bridge.yaml. I think this it won't run automatically.
I don't now if you add something lie this on the security.yaml
check_path: app_entity_descriptor
from spbundle.
Thanks for pointing that @jhonnynho ! Like @tmilos wrote right above, you have to configure it in your config.yml
.
I have updated my comment above so the reply is complete and correct.
from spbundle.
Hi @jhonnynho
Usually, you get this kind of response either:
- when you try to replay a previous authentication process
- or when the service provider is not the one that emitted the authentication request
Note that the entity_id
must match exactly the one that is registered in your SimpleSAMLphp idp.
It may be the entity_id
because the light_saml_symfony_bridge.own.entity_id
is defined by a string locally while the entity_id
in your services.yaml
comes from a parameter that we do not see in your comment.
from spbundle.
Hi @ChMat
Services.yaml
entity_id: '%env(ENTITY_ID)%'
saml_sso_service: '%env(SAML_SSO_SERVICE)%'
secure_login_check: '%env(SECURE_LOGIN_CHECK)%'
unsecure_login_check: '%env(UNSECURE_LOGIN_CHECK)
.env
ENTITY_ID=https://gateway.com/saml/
UNSECURE_LOGIN_CHECK=http://gateway/saml/login_check
SECURE_LOGIN_CHECK=https://gateway/saml/login_check
SAML_SSO_SERVICE=https://account.com/simplesaml/saml2/idp/SSOService.php
There are my params, and that error happens after doing the login on SimpleSamlPHP
On SimplesamlPHP I have the same entity_id
from spbundle.
Check your light_saml_symfony_bridge
config. You have an entity_id
that is different from that of your .env
: https://sso-gateway/saml/
Both should be identical.
from spbundle.
I have exactly the same entity_id on my config and on SimpleSaml
from spbundle.
Hi guys,
I've got the same problem, The Saml is behind an haproxy, and I recieve error Unknown InResponseTo ...
, when I try to login, I don't know if the saml needs something else, because the ssl end-to-end isn't available with haproxy in front of my saml service.
from spbundle.
hi guys, theres a way to do similar escenario but for de endpoint "default_target_path", actually is calling my unsecured endpoint but i need that be redirected to the secured endpoint. I already did the same for the login_check and is working succesfully but i need also for the default_target_path wheres my codebehind do some validations for login user.
from spbundle.
Related Issues (20)
- Unable to find the controller for path "/saml/login_check" HOT 1
- Adding RequestedAuthnContext to the AuthnRequest HOT 2
- SensioFrameworkBundle 5.2 compatibility
- Lost LightSaml\Model\Protocol\Response on token serialization HOT 1
- Error installing SPBundle on Symfony 4.0.9 HOT 2
- Is it maintained ? HOT 1
- URL's missing
- How generate metadata dynamically? HOT 2
- Update user HOT 1
- samltest.id - Assertions must be signed HOT 1
- Infinine loop when using stateless firewall HOT 1
- Unable to find the controller for path "/saml/login_check". The route is wrongly configured. HOT 4
- [HTTPS] /saml/login and the redirect URL after /saml/login_check are accessed using HTTP instead of HTTPS HOT 5
- Documentation does not mention cleaning up idEntry table
- Redirect after login using Symfony 3 config
- How to prevent user creation for user not allowed in the systems? HOT 4
- Symfony 5 support HOT 1
- lightSAML is overwritting form_login parameters
- Symfony session cookie with SameSite: Lax
- There is no extension able to load configuration. symfony 3.3.18 version
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spbundle.