Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid inbound message destination #58

Open
guiyomh opened this issue Sep 12, 2017 · 16 comments
Open

Invalid inbound message destination #58

guiyomh opened this issue Sep 12, 2017 · 16 comments

Comments

@guiyomh
Copy link

guiyomh commented Sep 12, 2017

when i'm redirect to /saml/login_check

i have a error :

Invalid inbound message destination "http://xxxxx/saml/login_check"
@ChMat
Copy link

ChMat commented Oct 5, 2017

Hi @guiyomh

I have the same issue here. My app is behind a proxy. The proxy handles the certificate, so the route for login_check is not the right one.

In short, the login_check route from the outside is https://publicdomain.com/saml/login_check. And once it passes the proxy, it becomes http://insidedomain.local/saml/login_check.

I think the way should be to tell SpBundle to trust http://insidedomain.local/saml/login_check.

Is your issue the same as mine? Did you find a solution?

@tmilos
Copy link
Member

tmilos commented Oct 6, 2017

It means that in your own EntityDescriptor there are no AssertionConsumerService endpoints with such Location. If you're behind a proxy, your metadata must state the public url, and IDP must return Response with public url destination, so AbstractDestinationValidatorAction will be able to find that url from the Reponse in your own EntityDescriptor.

Provide your own metadata xml, sent AuthnRequest, and received Response, and we can compare the values and see what is wrong.

@ChMat
Copy link

ChMat commented Oct 16, 2017

Thanks @tmilos for the information. It helped me solve the issue.

I implemented a custom service extending LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder.

I replaced the $acsUrl __construct() parameter to an array.

So when I declare the service, the corresponding argument will be an array containing the login_check url from behind the proxy (http and .local url in my case) and from the rest of the world, like this:

["http://mysite.local/saml/login_check", "https://mysite.com/saml/login_check"]

And I changed the getSpSsoDescriptor() function as follows:

    /**
     * @return SpSsoDescriptor|null
     */
    protected function getSpSsoDescriptor()
    {
        if (null === $this->acsUrl) {
            return null;
        }

        $spSso = new SpSsoDescriptor();

        foreach ($this->acsBindings as $index => $biding) {
            if (is_array($this->acsUrl)) {
                foreach ($this->acsUrl as $acsUrl) {
                    $acs = new AssertionConsumerService();
                    $acs->setIndex($index)->setLocation($acsUrl)->setBinding($biding);
                    $spSso->addAssertionConsumerService($acs);
                }
            }
            else
            {
                $acs = new AssertionConsumerService();
                $acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($biding);
                $spSso->addAssertionConsumerService($acs);
            }
        }

        $this->addKeyDescriptors($spSso);

        return $spSso;
    }

This worked for me, I hope this will help.

@jhonnynho
Copy link

Hi @ChMat I'm having the same trouble as you had, I'm wondering to know if you changed that function on SimpleEntityDescriptorBuilder file on the vendor directory? If not, how did you do?
Thanks!

@ChMat
Copy link

ChMat commented Mar 22, 2019
edited
Loading

Hi @jhonnynho

As I wrote, I created a class in my application that extends LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder.

This class contains the getSpSsoDescriptor() function that overrides the parent function with my custom behaviour.

It looks like this (you'll probably want to adapt the namespace):

// Service/AppEntityDescriptor.php
<?php

namespace AppBundle\Service;

use LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder;
use LightSaml\Model\Metadata\AssertionConsumerService;
use LightSaml\Model\Metadata\KeyDescriptor;
use LightSaml\Model\Metadata\SpSsoDescriptor;
use LightSaml\SamlConstants;
use LightSaml\Credential\X509Certificate;

/**
 * Class AppEntityDescriptor
 *
 * @package AppBundle\Service
 */
class AppEntityDescriptor extends SimpleEntityDescriptorBuilder
{
	/** @var array|string */
	protected $acsUrl;

	/**
	 * @param string          $entityId
	 * @param array|string    $acsUrl
	 * @param string          $ssoUrl
	 * @param string          $ownCertificate
	 * @param string[]        $acsBindings
	 * @param string[]        $ssoBindings
	 * @param string[]|null   $use
	 */
	public function __construct(
		$entityId,
		$acsUrl,
		$ssoUrl,
		$ownCertificate,
		array $acsBindings = array(SamlConstants::BINDING_SAML2_HTTP_POST),
		array $ssoBindings = array(SamlConstants::BINDING_SAML2_HTTP_POST, SamlConstants::BINDING_SAML2_HTTP_REDIRECT),
		$use = array(KeyDescriptor::USE_ENCRYPTION, KeyDescriptor::USE_SIGNING)
	) {
		$certificate = $ownCertificate;

		if (!$ownCertificate instanceof X509Certificate) {
			$certificate = new X509Certificate();
			$certificate->loadFromFile($ownCertificate);
		}

		parent::__construct($entityId, $acsUrl, $ssoUrl, $certificate, $acsBindings, $use);
	}

	/**
	 * @return SpSsoDescriptor|null
	 */
	protected function getSpSsoDescriptor()
	{
		if (null === $this->acsUrl) {
			return null;
		}

		$spSso = new SpSsoDescriptor();

		foreach ($this->acsBindings as $index => $binding) {
			// On ajoute toutes les url autorisées pour le service
			if (is_array($this->acsUrl)) {
				foreach ($this->acsUrl as $acsUrl) {
					$acs = new AssertionConsumerService();
					$acs->setIndex($index)->setLocation($acsUrl)->setBinding($binding);
					$spSso->addAssertionConsumerService($acs);
				}
			}
			else
			{
				$acs = new AssertionConsumerService();
				$acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($binding);
				$spSso->addAssertionConsumerService($acs);
			}
		}

		$this->addKeyDescriptors($spSso);

		return $spSso;
	}

}

And in my services.yml:

    app_entity_descriptor:
        class: AppBundle\Service\AppEntityDescriptor
        arguments:
            - "%entity_id%"
            - ["http://local.domain/saml/login_check", "https://public.domain/saml/login_check"]
            - "https://sso.server/saml2/idp/SSOService.php"
            - "%kernel.root_dir%/config/cert/saml.crt"

Finally, I add the service to LightSaml configuration in app/config/config.yml

light_saml_symfony_bridge:
    own:
        entity_id: "https://your.entity.id" # required
        entity_descriptor_provider:
            id: app_entity_descriptor

I hope this helps.

@jhonnynho
Copy link

jhonnynho commented Mar 24, 2019
edited
Loading

Thank you @ChMat , I'm going to test it, but I have a doubt, did you edit something else? I mean on the security.yaml or in the ligh_saml_symfony_bridge.yaml. I think this it won't run automatically.

I don't now if you add something lie this on the security.yaml

check_path: app_entity_descriptor

@tmilos
Copy link
Member

tmilos commented Mar 24, 2019
edited
Loading 

light_saml_symfony_bridge:
    own:
        entity_id: https://your.entity.id # required
        entity_descriptor_provider:
            id: app_entity_descriptor

As here
https://www.lightsaml.com/Symfony-Bridge/Configuration/

@ChMat
Copy link

ChMat commented Mar 25, 2019

Thanks for pointing that @jhonnynho ! Like @tmilos wrote right above, you have to configure it in your config.yml.

I have updated my comment above so the reply is complete and correct.

@jhonnynho
Copy link

jhonnynho commented Mar 25, 2019
edited
Loading

Ey @ChMat and @tmilos I did this steps but now I'm having this
Unknown InResponseTo '_77ce4c02e5bedb405c4ca19289f80a8a2967db504f'
My SSO system is on SimpleSAMLPHP.
I don't know what can I do. I have Symfony 4, and this is my configuration:

light_saml_symfony_bridge:
    own:
        entity_id: https://gateway.com/saml/
        entity_descriptor_provider:
            id: app_entity_descriptor
        credentials:
            -
                certificate: "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.crt"
                key:         "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.key"
                password:    ~
    party:
        idp:
            files:
                - "%kernel.root_dir%/../src/Idp/idp.xml"
#                - "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/openidp.feide.no.xml"
    store:
        id_state: id_store

security.yaml

        main:
            anonymous: ~
            light_saml_sp:
                provider: db_provider       # user provider name configured in step 9
                user_creator: user_creator  # name of the user creator service created in step 10
                login_path: /saml/login
                check_path: /saml/login_check
                default_target_path: /
                require_previous_session: true
            logout:
                path: /logout

services.yaml

    app_entity_descriptor:
        class: App\Services\AppEntityDescriptor
        arguments:
            - "%entity_id%"
            - ["%secure_login_check%", "%unsecure_login_check%"]
            - "%saml_sso_service%"
            - "%kernel.root_dir%/../vendor/lightsaml/lightsaml/web/sp/saml.crt"

@ChMat
Copy link

ChMat commented Mar 25, 2019

Hi @jhonnynho

Usually, you get this kind of response either:

  • when you try to replay a previous authentication process
  • or when the service provider is not the one that emitted the authentication request

Note that the entity_id must match exactly the one that is registered in your SimpleSAMLphp idp.

It may be the entity_id because the light_saml_symfony_bridge.own.entity_id is defined by a string locally while the entity_id in your services.yaml comes from a parameter that we do not see in your comment.

@jhonnynho
Copy link

jhonnynho commented Mar 25, 2019
edited
Loading

Hi @ChMat

Services.yaml

entity_id: '%env(ENTITY_ID)%'
saml_sso_service: '%env(SAML_SSO_SERVICE)%'
secure_login_check: '%env(SECURE_LOGIN_CHECK)%'
unsecure_login_check: '%env(UNSECURE_LOGIN_CHECK)

.env

ENTITY_ID=https://gateway.com/saml/
UNSECURE_LOGIN_CHECK=http://gateway/saml/login_check
SECURE_LOGIN_CHECK=https://gateway/saml/login_check
SAML_SSO_SERVICE=https://account.com/simplesaml/saml2/idp/SSOService.php

There are my params, and that error happens after doing the login on SimpleSamlPHP
On SimplesamlPHP I have the same entity_id

@ChMat
Copy link

ChMat commented Mar 25, 2019

Check your light_saml_symfony_bridge config. You have an entity_id that is different from that of your .env: https://sso-gateway/saml/

Both should be identical.

@jhonnynho
Copy link

I have exactly the same entity_id on my config and on SimpleSaml

@JavierBmrg
Copy link

Hi guys,
I've got the same problem, The Saml is behind an haproxy, and I recieve error Unknown InResponseTo ... , when I try to login, I don't know if the saml needs something else, because the ssl end-to-end isn't available with haproxy in front of my saml service.

@nguyenhung nguyenhung mentioned this issue Aug 29, 2019
Closed
@jonhleno
Copy link

jonhleno commented Oct 1, 2019

Thanks @tmilos for the information. It helped me solve the issue.

I implemented a custom service extending LightSaml\Builder\EntityDescriptor\SimpleEntityDescriptorBuilder.

I replaced the $acsUrl __construct() parameter to an array.

So when I declare the service, the corresponding argument will be an array containing the login_check url from behind the proxy (http and .local url in my case) and from the rest of the world, like this:

["http://mysite.local/saml/login_check", "https://mysite.com/saml/login_check"]

And I changed the getSpSsoDescriptor() function as follows:

    /**
     * @return SpSsoDescriptor|null
     */
    protected function getSpSsoDescriptor()
    {
        if (null === $this->acsUrl) {
            return null;
        }

        $spSso = new SpSsoDescriptor();

        foreach ($this->acsBindings as $index => $biding) {
            if (is_array($this->acsUrl)) {
                foreach ($this->acsUrl as $acsUrl) {
                    $acs = new AssertionConsumerService();
                    $acs->setIndex($index)->setLocation($acsUrl)->setBinding($biding);
                    $spSso->addAssertionConsumerService($acs);
                }
            }
            else
            {
                $acs = new AssertionConsumerService();
                $acs->setIndex($index)->setLocation($this->acsUrl)->setBinding($biding);
                $spSso->addAssertionConsumerService($acs);
            }
        }

        $this->addKeyDescriptors($spSso);

        return $spSso;
    }

This worked for me, I hope this will help.

Thanks @ChMat It works like a charm!

@mabumusa1 mabumusa1 mentioned this issue Jun 29, 2023
Closed
1 task
@bastianpsycho1
Copy link

hi guys, theres a way to do similar escenario but for de endpoint "default_target_path", actually is calling my unsecured endpoint but i need that be redirected to the secured endpoint. I already did the same for the login_check and is working succesfully but i need also for the default_target_path wheres my codebehind do some validations for login user.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@guiyomh @ChMat @tmilos @jonhleno @JavierBmrg @jhonnynho @bastianpsycho1