Contrib.social

Configuration instructions fail due to OneLogin error

Open on Drupal.org →
Created on 14 September 2022, almost 2 years ago
Updated 4 April 2024, 3 months ago

I've been setting up this module for the first time, following the configuration instructions provided in the README. I was asked by the IdP to provide our metadata file so that they could perform the configuration on their end. I reached the end of the Service Provider section of the instructions, "...this is the point at which you can provide information to the (people administering the) IdP" and attempted to access the metadata URL. Instead I was redirected to the site front page, where a Drupal message popped up telling me that the metadata was inaccessible and an error had been logged. Here is the error:
OneLogin\Saml2\Error encountered while processing SAML SP metadata: Invalid array settings: idp_entityId_not_found, idp_sso_not_found, idp_cert_or_fingerprint_not_found_and_required in OneLogin\Saml2\Settings->__construct() (line 141 of /path/to/site/vendor/onelogin/php-saml/src/Saml2/Settings.php).

I looked at the OneLogin\Saml2\Settings that it mentions. It seems like it won't work if you don't provide IdP info, including:

  • The ID
  • The SSO URL
  • The certificate (or some other fingerprint)

I entered dummy values for these three config options (including re-using my SP certificate), saved, and was then able to access the metadata URL.

These three IdP config values must be filled out in order to access the metadata. This is contrary to this module's configuration instructions which explicitly state that the metadata URL is accessible after only configuring the SP options. Since the error comes from the library I don't know if the module can do anything to avoid the error and allow for IdP-less configuration. I didn't dig into it that far. If not, then this may have to be a documentation issue.

🐛 Bug report
Status

Fixed

Version

3.0

Component

Code

Created by

🇺🇸United States dcam

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 9 months ago
    🇺🇸United States kevinquillen

    These three IdP config values must be filled out in order to access the metadata. This is contrary to this module's configuration instructions which explicitly state that the metadata URL is accessible after only configuring the SP options. Since the error comes from the library I don't know if the module can do anything to avoid the error and allow for IdP-less configuration. I didn't dig into it that far. If not, then this may have to be a documentation issue.

    Just ran into this and couldn't figure out why I was being asked for IDP values before we can receive the IDP information, which first requires the SP metadata to be provided.

    Something here is incorrect and makes setting up SAML Authentication to an external provider rather confusing.

  • Comment 9 months ago
    🇺🇸United States kevinquillen

    Here is the tool I used to generate SP metadata because having to fill in all the IDP fields was confusing:

    https://www.samltool.com/sp_metadata.php

    You should be able to get the metadata with any level of information... this should be corrected (UI + docs) because it doesn't seem to match most literature online for configuring SAML with an external IDP.

  • Comment 9 months ago
    System Message
    • roderik committed b6cb9cb6 on 8.x-3.x 
      Issue #3309724: circumvent PHP-SAML checks to be able to generate...
  • Status changed to Fixed 9 months ago
  • Comment 9 months ago
    🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    Thank you for reporting this. (Both of you - I just didn't work on this module for almost a year.)

    I had placed hints in rewritten (in 2021) code that mentioned workarounds for unnecessary checks being done for IdP data, in the SAML PHP Toolkit library... but apparently never followed that up by testing properly / figuring those "unnecessary checks" would make setup more difficult.

    Now followed up. Forgot to add credit in commit message; I think it's being added when changing the status of this issue (while checking both your name).

  • Comment 9 months ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

  • Status changed to Fixed 3 months ago
  • Comment 3 months ago
    🇮🇳India naveenvalecha New Delhi

    Here's the patch for sites using 8.x-3.9 version

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024