mahara-contributors team mailing list archive

Thread
Date

[Bug 1689685] Re: SAML SSO authentication doesn't work as SimpleSAMLphp generates non-existent AssertionConsumerServiceURL

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Yaju Mahida <1689685@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 May 2017 02:06:41 -0000
Reply-to: Bug 1689685 <1689685@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Shane,

We had to fix this on SimpleSAMLphp library (1.14.7)
mahara/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php
line 189

From
$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
To
$ar->setAssertionConsumerServiceURL(get_config('wwwroot') . 'auth/saml/sp/saml2-acs.php/' . $this->authId);

We also had log out issues e.g. once a user is logged out from another
application (part of SSO) Mahara should also log out but that wasn't the
case. SAML session was terminated but not the Mahara session!

And for this issue we had to put $USERlogout(); to
mahara/htdocs/auth/saml/sp/saml2-logout.php just before calling SAML
logout page
require('../extlib/simplesamlphp/modules/saml/www/sp/saml2-logout.php');

Are you experiencing similar issues?

Regards,
Yaju Mahida

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1689685

Title:
SAML SSO authentication doesn't work as SimpleSAMLphp generates non-
existent AssertionConsumerServiceURL

Status in Mahara:
New

Bug description:
Wrong AssertionConsumerServiceURL is genereated in SAML2-AuthRequest.

Mahara 16.10.3 and CentOS Linux release 7.2

Since 16.10.x release, the SimpleSAMLphp library is included as a
managed dependency with the Mahara codebase.

We noticed that before sending an AuthRequest to an IDP, it generates
wrong AssertionConsumerServiceURL behaving like it is hosted
separately with Mahara which ends up in SSO failure.

In our case, it generates https://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
instead of https://localhost/auth/saml/sp/saml2-acs.php/default-sp.

We tracked down that it is generated using 'baseurlpath' => 'simplesaml/' defined in htdocs/auth/saml/config/config.php
and
$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId)); defined in htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php line 189.

As a workaround, we have hacked the SimpleSAMLphp library for
generating correct AssertionConsumerServiceURL which solves this
issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1689685/+subscriptions

References

[Bug 1689685] [NEW] SAML SSO authentication doesn't work as SimpleSAMLphp generates non-existent AssertionConsumerServiceURL
From: Yaju Mahida, 2017-05-10