Contrib.social

v3.3 change in configuration values breaks ACSF

Open on Drupal.org β†’
Created on 15 June 2021, about 3 years ago
Updated 9 August 2023, 11 months ago

Problem/Motivation

Observed in Acquia Site Factory, when using version 3.3 of the module, trying to login to a site leads to the following error, and not being able to login:

Error encountered while processing SAML authentication response; details have been logged

In the syslog we get the following error report:

http://site.com/saml/acs||0||RuntimeException encountered while processing SAML authentication response: Error(s) encountered during processing of authentication response. Type(s): invalid_response; reason given for last error: Signature validation failed. SAML Response rejected in Drupal\samlauth\SamlService->processLoginResponse() (line 413 of /mnt/www/html/site01test/docroot/modules/contrib/samlauth/src/SamlService.php). request_id="v-32f867ac-cced-11eb-ba52-9ff459077ed1"

Going back to version 3.2 of the module, this problem is no longer encountered.

Steps to reproduce

Install version 3.3+ of the module in ACSF. Attempt to login.

Proposed resolution

Add patch to acsf module, published at πŸ› Compatibility with samlauth >= 8.3 Fixed .

(This issue is "Active" to get all ACSF people's attention, when they browse the samlauth queue / possibly add comments. But it will not see any further work.)

πŸ› Bug report
Status

Active

Version

3.3

Component

Code

Created by

πŸ‡΅πŸ‡ΉPortugal jcnventura

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States minkahb

    Hi,

    I have a Drupal 9.5.3, with php 8.3.2. I installed samlauth 8.x-3.8 via composer. I wanted the ACS url to return as https instead of http.

    I enabled various reverse_proxy values in settings.php and now I see the ACS url with https, but I get the error "invalid_response; reason given for last error: Signature validation failed. SAML Response rejected" .

    I went back to samlauth 8.x-3.2, and I am still getting the error "invalid_response; reason given for last error: Signature validation failed. SAML Response rejected".

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States minkahb

    I reverted to samlauth 8.x-3.8 and was able to get this to work once I used the correct certificate.

    This is what I had to enable in /var/www/devportal/web/sites/default/settings.php :

    $settings['reverse_proxy'] = TRUE;

    $settings['reverse_proxy_addresses'] = [$_SERVER['REMOTE_ADDR']];

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States kevinquillen

    Does this work with Acquia Connector 4?

  • Comment about 1 year ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    @kevinquillen - I believe the answer is "yes; this issue only applies to the ACSF module specifically".

    Please check my reasoning:

    • I do not know of Acquia Connector itself doing anything with SAML SSO. (Then again, I have only seen it briefly, years ago.)
    • I'm assuming you are using the samlauth module on 'regular' Acquia hosting (not ACSF), and that you're using it to log in through an Identity Provider that is not part of Acquia's hosting infrastructure.

    Then there's no issue. Specifics: ACSF has a custom (not equal to the 'regular') Acquia dashboard for managing its cookie-cutter sites, and people can log into their individual sites from the dashboard. That is -- this custom ACSF dashboard acts like a SAML IdP, and the bug is specifically in the auto-configuration of that Acquia IdP.

    ---

    @minkahb - for completeness (to the other issue readers)

    • from your description, I believe the site you have an issue with, is not on Acquia Cloud Site Factory (ACSF) -- so this issue is unrelated
    • I'm happy you got it to work - your error indeed sounded like a local certificate issue.
    • The reverse proxy settings should be documented in this module's readme; πŸ’¬ Force HTTPS for ACS and SLS Closed: works as designed is open to remind me of this. (Though the value of $_SERVER['REMOTE_ADDR'] smells like something strange is going on in your case. I can't fully judge the situation, though.)
  • Comment 11 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024