SAML SSO authentication doesn't work as SimpleSAMLphp generates non-existent AssertionConsumerServiceURL

Hi Yaju,

Thanks for that info. Our 16.10 sites do work with the new SAML setup. We'll need to investigate this further.

Cheers
Kristina

@Yaju Can you share what changes you made to get it working?

Hi Shane,

We had to fix this on SimpleSAMLphp library (1.14.7) mahara/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php line 189

From
$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
To
$ar->setAssertionConsumerServiceURL(get_config('wwwroot') . 'auth/saml/sp/saml2-acs.php/' . $this->authId);

We also had log out issues e.g. once a user is logged out from another application (part of SSO) Mahara should also log out but that wasn't the case. SAML session was terminated but not the Mahara session!

And for this issue we had to put $USERlogout(); to mahara/htdocs/auth/saml/sp/saml2-logout.php just before calling SAML logout page require('../extlib/simplesamlphp/modules/saml/www/sp/saml2-logout.php');

Are you experiencing similar issues?

Regards,
Yaju Mahida

Tagged it to 17.10 so it stays on our radar to look at since we can't verify it immediately.

Looking at the code I suspect its worked for some but not others is due to

public function startSSO($idp, array $state)

in

extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php

where startSSO1 doesn't call the setAssertionConsumerServiceURL() but startSSO2 does

The problem with fixing this is we can't patch the files in extlib/simplesamlphp/ subdir as they are fetched/installed via the make ssphp in the core code

I'll have to check with our saml guru to see if we can workaround this via the saml config file

@Yaju Yeah, we're having a similar issue on 17.04. Mahara sends the user to our idp to login, but then the idp can't send the user back to mahara because the assertion consumer service URL (simplesaml/module.php/saml/sp/saml2-acs.php/default-sp) is not registered in the metadata.

Thanks for the workaround. I'm trying it out now.

@Yaju It works! Thanks again!

@Yaju Thank you for the workaround. I hit the problem a couple of weeks ago and I wasn't sure where the problem was. Cheers.

Hi Yaju,

We made some improvements for Mahara 17.10 in that area, which also allow for ADFS to work. Can you please check the 17.10 code and see if that resolves your problem?

Thank you
Kristina

[Expired for Mahara because there has been no activity for 60 days.]

Hi Kristina,

Just found your message now! We will be working on this next year so not able to confirm this now.

Noticed that this job's status has changed to expired!

Regards,
Yaju Mahida

Hi Yaju,

I put it back onto "Incomplete". If you could test the latest 17.10 code please when you get the chance that would be great.

Cheers
Kristina

[Expired for Mahara because there has been no activity for 60 days.]

Hi Kristina,

We are working on the Mahara 18.10.0 upgrade and this is still an issue. We are still using the workaround.

Please, re-open this issue.

Sorry, forgot to comment after the 17.10 testing.

Kind regards,
Yaju Mahida

Hi Yaju. Thanks for checking. We'll need to look into it again as I suspect that we still can't change the actual SAML library and need to find a different way of dealing with this issue.