SSOCircle keeps redirecting to Consent page SAML2.0
Asked Answered
L

1

9

I am using SSOCircle to test out my SAML implementation with Codeigniter. The current steps are:

  1. Access website.com
  2. Redirected to SSOCircle Consent Page
  3. Verify identity
  4. Pass user data back to website.com

However, after step 3, it goes to step 4 and back to step 3 immediately.

This is my code:

public function index()
    {
        $data['languages']= get_all_languages();
        $sp_auth = 'default-sp';
        try {
            $auth = new SimpleSAML_Auth_Simple($sp_auth);
            $auth->requireAuth(array(
            'ReturnTo' => $this->data['controller'],
            'KeepPost' => FALSE,
            ));
            $attributes = $auth->getAttributes();
            var_dump($attributes);
        } catch (Error $e) {
            print_r($e);
        }
    }

I have considered that my redirect may be the reason it keeps calling the consent page. However when added another url for it to access with this function

public function auth(){
        $attributes = $auth->getAttributes();
        var_dump($attributes);
}

I get this error:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: SimpleSAML_Error_Exception: No authentication source with id 'Login/Auth' found.
Backtrace:
2 lib/SimpleSAML/Auth/Source.php:335 (SimpleSAML_Auth_Source::getById)
1 modules/saml/www/sp/saml2-acs.php:12 (require)
0 www/module.php:135 (N/A)

Update

I recently noticed that SSOCircle actually returns back to my login page. However, it immediately redirects it back to the SSOCircle page. Not sure if this helps

NULL Redirect You were redirected to: https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/publicidp?SAMLRequest=vVPBjtowEP2VyPfghCQqWIDELqoWabeLCO1hLytjD4ulxHY9k6X8fZ2kVbc9cOzJ0vO8N%2B%2FN2AuUbePFuqOz3cP3DpCSH21jUQwXS9YFK5xEg8LKFlCQEvX66VFMJ5nwwZFTrmEfKLcZEhECGWdZst0s2WtWgNafINe5UlrqY1lJmE1BlvOimkN10mVWZZDn85wl3yBgZC5ZFIp0xA62FklailCWz9KsSPP8kM1EVYqqeGHJJqYxVtLAOhN5FJwb7SeITpmgGpgo14qyLHhEeF0%2F70GbAIp4CyTXjZHIfXdsjIoslqx%2Fu793FrsWQg3h3Sj4un%2F8o6%2FhfRJdBe0UpjgWYN%2BH7x%2FuniCoLly59D6KDs44nU3Qr14GunI0rW%2BgnyO%2FXC68dbqLJv3Z8wHD8ZymUuGAajjJrqEUo7vdr23cGauNfbu9iONYhOLhcNilu%2Bf6wFaLXlsMgw2r%2FxSnn7OWJP9Js%2BAfvSzGR%2Folpthudi62uiafXWgl3Q7ZI0anp6FUUJAWDViKi2wad7kPIAmWjEIHjK%2FGln9%2FhdVP&RelayState=https%3A%2F%2Fwww.website.com%2Fapp

Update 2

I just checked the logs and I have received this warning

Mar 12 23:26:26 simplesamlphp WARNING [da20d4a7a3] Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.

I was told that this is because of lost state information. However I have checked my cookie names and they match up. What else have I missed?

https://github.com/simplesamlphp/simplesamlphp/wiki/State-Information-Lost

Latoshalatouche answered 10/3, 2018 at 4:34 Comment(0)
P
3

Update: The subsequent paragraph assume that when you modified your code to avoid the cyclique redirection you've made sure to :

Configure the authentication module :**

On unix, this can be done by running (from the SimpleSAMLphp installation directory):

touch modules/exampleauth/enable

The next step is to create an authentication source with this module. An authentication source is an authentication module with a specific configuration. Each authentication source has a name, which is used to refer to this specific configuration in the IdP configuration. Configuration for authentication sources can be found in config/authsources.php.

In this setup, this file should contain a single entry:

<?php
$config = array(
    'example-userpass' => array(
        'exampleauth:UserPass',
        'student:studentpass' => array(
            'uid' => array('student'),
            'eduPersonAffiliation' => array('member', 'student'),
        ),
        'employee:employeepass' => array(
            'uid' => array('employee'),
            'eduPersonAffiliation' => array('member', 'employee'),
        ),
    ),
);

This configuration creates two users - student and employee, with the passwords studentpass and employeepass. The username and password is stored in the array index (student:studentpass for the student-user. The attributes for each user is configured in the array referenced by the index. For the student user, these are:

array(
    'uid' => array('student'),
    'eduPersonAffiliation' => array('member', 'student'),
),

The attributes will be returned by the IdP when the user logs on.

Mismatch between PHP session settings for the application and SimpleSAMLphp

If both the application you are trying to add SAML 2.0 support to and SimpleSAMLphp uses PHP session for session storage, and they don't agree on all the parameters, you can end up with this error. By default, SimpleSAMLphp uses the settings from php.ini, but these can be overridden in config/config.php.

If this is the cause of your error, you have two choices:

Then No authentication source with id error occurred because of a conflict of handling the session between simpleSAMLphp and codeIgniter.

Solution 1 : change SimpleSAMLphp to use a different session storage method

The solution is to set simpleSAMLphp to use something other than phpsession, as there is an issue with Memcached the best way is to set it to 'sql'. You do that in simplesamlphp/config/config.php:

/*
 * Configure the datastore for simpleSAMLphp.
 *
 * - 'phpsession': Limited datastore, which uses the PHP session.
 * - 'memcache': Key-value datastore, based on memcache.
 * - 'sql': SQL datastore, using PDO.
 *
 * The default datastore is 'phpsession'.
 *
 * (This option replaces the old 'session.handler'-option.)
 */
'store.type'                    => 'sql',

Solution 2 : Change the session settings to match between the application and SimpleSAMLphp:

If you decide to make the session settings match, you should change the settings in php.ini. This is to make sure that the settings apply to everything that uses the default settings. The following options in php.ini must match the settings used by the application:

  • session.save_handler: This is the method that is used to store the session. The default is "files".
  • session.save_path: This is the location the session files are saved. The default depends on your PHP installation.
  • session.name: This is the name of the session cookie. The default is "PHPSESSID".
  • session.cookie_path: The path that the session cookie is limited to. The default is "/", which means that it is available to all pages on your domain.
  • session.cookie_domain: This is the domain the session cookie is limited to. The default is unset, which makes the cookie available
    only to the current domain.

Please look at the docs for more information

If that still didn't work, as the last resort : try disabling varnish caching

Sources:
https://github.com/zl4bv/CakePHP-simpleSAMLphp-Plugin/issues/7 https://www.drupal.org/project/simplesamlphp_auth

Perdue answered 18/3, 2018 at 14:11 Comment(4)
Hi there, thank you so much for answering. At the moment when I try to do var_dump($_COOKIE), it shows the cookie name set in my framework. Is PHPSESSID the same as the one that my framework set or is it different?Latoshalatouche
No problem, if you want to do it that way you must match all the variables not just PHPSESSID.Perdue
I see. So there is a high chance that my current session cookiename in the simplesaml config file is looking at my framework one instead of the pure PHP one?Latoshalatouche
Yeah provided that you have done the correct setup. hence the NOSTATE warning.Perdue

© 2022 - 2024 — McMap. All rights reserved.