Issue #188: SimpleSAMLPHP option redirect.validate is unsupported - ipsilon

ipsilon

#188 SimpleSAMLPHP option redirect.validate is unsupported

Closed: Invalid None Opened 8 years ago by rcritten.

This option configures whether logout requests and logout responses received from this IdP should be validated. The default is FALSE.

If set to TRUE it fails in SimpleSAMLPHP with:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/simplesamlphp/www/module.php:179 (N/A)
Caused by: SimpleSAML_Error_Exception: Validation of received messages enabled, but no signature found on message.
Backtrace:
2 /var/simplesamlphp/modules/saml/lib/Message.php:252 (sspmod_saml_Message::validateMessage)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-logout.php:38 (require)
0 /var/simplesamlphp/www/module.php:134 (N/A)

rcritten commented 8 years ago

Note that the redirect we send is signed:

https://sptest.greyoak.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp?SAMLResponse=fZJNa8MwDIb%2FSsg9cT7dxqSBkmxQ6C5r6WGXoSVKG%2BbYJnJg%2B%2FdL05W1MHoy0qtHr2w5J%2BilEVt91KN9RTJaETpfvVQkZmnljoMSGqgjoaBHErYWu%2FXLVkR%2BIMygra61dG%2BQxwQQ4WA7rVxnU63c96paVnHMyydeViVfP1dhViXZIiwDzuNskUxl6jrXXk9AhkGSQNJGdcQD4EsOSdRgmtYtrzPMwg%2FOFwhR2E7oAQearFbu5Dw1Ihpxo8iCslMqCFMvDLyA76NARLFI0jfXqZBsp8DO1MlaQ4IxMnZK%2B8cBvzV8%2BrXuGXW9kXi%2BLut1M0r0zcmwOabLGXlyftRZaLCFUVqPjFvkZ1XMwwzF1aIz1Emt7jy65rcT69FCAxZydsvml93tLNiR7qNSN%2BgcQI74eBs0V4vdWNdI5LLi4vDXlP33P4of&RelayState=_e523ea08bc1085c654f0e7a853cab5c7e709f2a04b&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=YnJtSisyI8dBW0vZ3bOSPKHtHfTYUaVce31jUQ9SW3kznIae%2F7N9KCWNKB5XvC20iNtWwrcfuoUWDNue59RvIqIPhASJK95g%2BpJfDJoe5vxxUqSkygy41iBIX2Z7D5yWFNVcEatF3JqzSOIObpl0VLuUSFIUOMGr7fK3dDToeri0RSYRG%2BsebZWEEOGCFThG%2B1R6DPZN7KFvCJqdAPFJS9e5JgbrIxqg2o68BDtdohX9qr9Pbo%2BDrRlqCxyruNaWdX5k0jTlAW%2FcNzU15IKXSVHi835VWJRm3DBFZMUbkvezzh3iTbBP5cl3a6DtjV5rmr8aAL%2Fz29cOMMbF3hJQEQ%3D%3D

So maybe I've mis-configured SimpleSAMLPHP.

rcritten commented 8 years ago

Ok, I see. I needed to add this to the IdP metadata in metadata/saml20-idp-remote.php

    'certificate'          => 'idp.pem',

And fetch idp.pem from the IdP in /var/lib/ipsilon/saml2 and put it into cert/idp.pem

resolution: => invalid
status: new => closed

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

Major

Milestone

None

rhbz

None

design_link

None

type

defect

component

framework

version

None

sensitive

patch_available

ipsilon

Source Code

#188 SimpleSAMLPHP option redirect.validate is unsupported Closed: Invalid None Opened 8 years ago by rcritten.

Metadata

#188 SimpleSAMLPHP option redirect.validate is unsupported

Closed: Invalid None Opened 8 years ago by rcritten.