Contrib.social

Samltest.id keep getting errors no matter the configuration

Open on Drupal.org β†’
Created on 28 July 2023, over 1 year ago
Updated 26 September 2023, about 1 year ago

Problem/Motivation

I am following the README instructions for testing via samltest.id and I keep getting errors.

If I use the POST location for the Single Sign On Service, https://samltest.id/idp/profile/SAML2/POST/SSO, I get an "Unsupported Request" message from them.

If I use the Redirect location for the Single Sign On Service, https://samltest.id/idp/profile/SAML2/Redirect/SSO, I get "Stale Request".

Steps to reproduce

  1. Install SAML Auth 3.8
  2. Under "Service Provider" set "Entity ID" to the base domain of the website (this works on another website).
  3. Using the openssl command from the README, generate your private key/X.509 Certificate.
  4. Put those certificates in the appropriate fields after you set it to use "Configuration" to add the keys.
  5. Under "Identity Provider" set the "Entity ID" to "https://samltest.id/saml/idp".
  6. Set "Single Sign On Service" to "https://samltest.id/idp/profile/SAML2/POST/SSO"
  7. For the certificates in this section, set it to use "Configuration" in the dropdown.
  8. Then put in the x509 cert you got from "https://samltest.id/download/".
  9. Get your site metadata from "[DOMAIN]/saml/metadata".
  10. Upload said metadata at "https://samltest.id/upload.php".
  11. Under "User Info and Syncing" set "Unique ID attribute" to "uid".
  12. Enable "Create users from SAML data".
  13. Set the "User name attribute" to "uid".
  14. Set the "User email attribute" to "mail".
  15. Under "SAML Message Construction", enable "Sign authentication requests", "Sign logout requests", "Sign logout responses".
  16. Set the "Signature algorithm" to "SHA256".
  17. Enable "Specify authentication context".
  18. Enable "Specify NameID policy".
  19. Under "SAML Message Validation", enable "Require NameID", "Strict validation of responses", and "Require messages to be signed".
  20. Under "Other" enable "Use Drupal base URL in toolkit library".
  21. Click save.
  22. Try, in another browser, to login via "https://[DOMAIN]/saml/login".
  23. See the error message.
  24. No go back and change "Single Sign On Service" to "https://samltest.id/idp/profile/SAML2/Redirect/SSO".
  25. See how it gives errors.

Proposed resolution

No idea yet. I don't even understand the cause of the problem. I'm hoping I just configured SOMETHING wrong.

Anyone have any ideas on what I can do to fix this?

πŸ’¬ Support request
Status

Active

Version

3.8

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States pthurmond Overland Park, KS

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @pthurmond
  • Issue was unassigned.
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pthurmond Overland Park, KS
  • Comment about 1 year ago β†’
    System Message
  • Comment about 1 year ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Thank you for your extensive test steps. It's been a long time since I tested using samltest.id (and I have just given the README a large reshuffle) so I re-tested

    Unfortunately, I can't tell you what is going wrong... because it worked for me. I did not get the "Unsupported request" you are seeing at the 'Redirect' IdP URL.

    Two things I had temporary issues with:

    • https://samltest.id/idp/profile/SAML2/POST/SSO is definitely not right (the SAML PHP Toolkit does not support this); you should use the "Redirect" one. (It's strange this did not make its way into the README yet; I added it now.)
    • The "Metadata validity" setting in the configuration should be increased from 1 minute to... something higher that enables you to test .

    What I did exactly:

    • Install latest -dev from samlauth. (I'm due to release a new version soon, but I do not know anything that would change its behaviour from 3.8... except for the fact that it lets you view the metadata when you haven't configured the IDP yet. But it doesn't seem like you had issues with that.)
    • Followed your steps to reproduce. Saw that everything is exactly as default -- except for the "Signature algorithm"= "SHA256"; I left it at "library default"
    • uploaded metadata XML.
    • Saw error message at step 23. Remembered that POST is wrong.
    • Changed to "Redirect" per step 24.
    • Retried login. Got error that no metadata was present (i.e. not your error)
    • Changed metadata validity tp 20 minutes. Changed "Signature algorithm" to "SHA256".
    • Re-uploaded metadata XML
    • Tried again. Saw successful page at samltest.id (with further login instructions).
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024