SAML configuration error

[jdawger291]

Have a current production mock up of our production OpenDCIM server running on an EC2 instance in AWS to test setting up SAML authentication to ping federate (cloud). Below are our versions running on the EC2 instance

OS = Amazon Linux 2
openDCIM = v20.02
PHP = v5.4.16
MariaDB = v5.5.68

Worked with our Idp administrator to setup the SAML config but for the life of me having trouble getting a proper response back and a successful login. The error that pops up on the browser is

The status code of the Response was not Success, was Requester -> Signature required

Using the Chrome SAML developer extension on my browser and attempting the auth process both the POST and GET response come back with a 200 code, so I am assuming the handshake looks to be successful, but obviously on the browser that is not what I am seeing with the aforementioned error. My Idp admin believes everything looks correct from his end, and for the life of me cannot seem to figure out where my config error might be. Has anyone seen this error when attempting to get their SAML config working and know of a solution?

I saw another discussion (#1363) where an updated parameter in the saml/settings.php file might have fixed their particular issue, believe it was 'requestedAuthnContext' => false, and was wondering if perhaps because we are on an older version of the openDCIM software that perhaps I may need to upgrade to a newer version as well.

[samilliken]

First of all, the answer is yes, you need to upgrade. 20.02 is not compatible with PHP 8 and higher and anything less than PHP 8 is no longer supported. Second, the error message indicates that either the AuthN request (coming from openDCIM) isn’t being signed by a certificate, or that the assertion isn’t being signed by the IdP. Did you create a private key and certificate in openDCIM and upload it to PingFed? I can assure you that it works fine with PingFed as we ran ours at $dayJob off of PingFed for the past several years. Scott From: jdawger291 ***@***.***> Sent: Tuesday, August 22, 2023 6:13 PM To: opendcim/openDCIM ***@***.***> Cc: Subscribed ***@***.***> Subject: [opendcim/openDCIM] SAML configuration error (Discussion #1425) Have a current production mock up of our production OpenDCIM server running on an EC2 instance in AWS to test setting up SAML authentication to ping federate (cloud). Below are our versions running on the EC2 instance OS = Amazon Linux 2 openDCIM = v20.02 PHP = v5.4.16 MariaDB = v5.5.68 Worked with our Idp administrator to setup the SAML config but for the life of me having trouble getting a proper response back and a successful login. The error that pops up on the browser is The status code of the Response was not Success, was Requester -> Signature required Using the Chrome SAML developer extension on my browser and attempting the auth process both the POST and GET response come back with a 200 code, so I am assuming the handshake looks to be successful, but obviously on the browser that is not what I am seeing with the aforementioned error. My Idp admin believes everything looks correct from his end, and for the life of me cannot seem to figure out where my config error might be. Has anyone seen this error when attempting to get their SAML config working and know of a solution? I saw another discussion (#1363 <#1363> ) where an updated parameter in the saml/settings.php file might have fixed their particular issue, believe it was 'requestedAuthnContext' => false, and was wondering if perhaps because we are on an older version of the openDCIM software that perhaps I may need to upgrade to a newer version as well. — Reply to this email directly, view it on GitHub <#1425> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMTY62DBU2F5KEGJDMAFQ3XWUVGTANCNFSM6AAAAAA32R24YA> . You are receiving this because you are subscribed to this thread. <https://github.com/notifications/beacon/AAMTY67VTH7KSICB2J6BGQLXWUVGTA5CNFSM6AAAAAA32R24YCWGG33NNVSW45C7OR4XAZNKIRUXGY3VONZWS33OVJRW63LNMVXHIX3JMTHAAVFJJU.gif> Message ID: ***@***.*** ***@***.***> >

[samilliken]

Tell your IdP admin that this is how the settings should look at the bottom:

Protocol Settings

Assertion Consumer Service URL  |
Endpoint | URL: /saml/acs.php (POST)
Allowable SAML Bindings |  
Artifact | false
POST | true
Redirect | true
SOAP | false
Signature Policy |  
Require digitally signed AuthN requests | false
Always Sign Assertion | true
Sign Response As Required | false
Encryption Policy |  
Status | Inactive

Credentials

Digital Signature Settings |  
Selected Certificate | redacted
Include Certificate in KeyInfo | true
Include Raw Key in KeyValue | false
Selected Signing Algorithm | RSA SHA256

[jdawger291]

Thank you for the reply. Will work on upgrading OpenDCIM and php components and try again. Will post results once I have the upgraded components in place.

[jdawger291]

A couple of questions my IdP wanted to get some clarification on

1. What does "Unable to extract public key" refer to? I think it might be talking about the IdP cert I generated from Pingfed but looking for confirmation.
2. Is a SP x509 cert required for setting a connection up? The settings provided for PingFederate essentially prevent that type of certificate from being set on the connection on my end.

Thanks,

Jeremy

[samilliken]

The OneLogin library won't initialize correctly without you creating a key/certificate pair on your (SP) end, whether you want to require it or not. We never require that in our IdP at $dayjob because we lock down the profile to specific DNS addresses within domains that we control. The IdP should absolutely be signing messages with a certificate and if your IdP isn't being configured to do so, you're opening yourself up for one of the most trivial injection attacks around in terms of SAML. The "easy button" way of doing things since you're using PingFed is to get the metadata URL from your IdP Admin so that you can use it for configuration of openDCIM. Typically it would be https://idp.yourcompany.com/pf/federation_metadata.ping?PartnerSpId=<your_unique_profile_id> and when I use that there's not much else to have to configure.

[jdawger291]

So forgive my ignorance with the key/certificate pair, but I may ask a stupid question here. I utilized the easy button on the SAML config page in openDCIM to generate the key pair and gave my IdP admin the cert from that creation. Do I need to add the key/cert in a .conf file on my side (i.e. httpd.conf) as well or is that all my IdP admin would need?

[jdawger291]

Nevermind, found one additional configuration on the IdP that did not match with what you had provided earlier. Thank you for the assistance.