I have encountered this issue today and hotfixed it for myself. Maybe it will 
help someone.
Please read below for hotfix solution and proposed more approppriate solution:

Mahara 17.04.2
Problem lies in including origin simplesalmphp repository auth/saml plugin 
without any changes whatsoever.

However simplesamlphp as it stands is using its way to generate URLs for
ACS via:

<mahara>/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php
189: 
$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/'
 . $this->authId));

Which results in wrong AssertionConsumerServiceURL generated:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_a976498d2ebe858cc56d486b5af2085ed957f45c5a"
                    Version="2.0"
                    IssueInstant="2017-08-10T13:29:09Z"
                    
Destination="https://login.dcu.ie/idp/profile/SAML2/Redirect/SSO";
                    
AssertionConsumerServiceURL="https://<mahara_adress>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                    
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://<mahara_adress>/mahara</saml:Issuer>
</samlp:AuthnRequest>


Proper one should be the one you are getting when generating SP Metadata via 
Mahara/auth/saml plugin here:
https://<mahara_adress>/auth/saml/sp/metadata.php?output=xhtml

Which in this case equals to:
https://<mahara_adress>/auth/saml/sp/saml2-acs.php/default-sp

***
Hotfix was to hardcode proper AssertionConsumerServiceURL in:

<mahara>/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php

188: $myPath = 'https://<mahara_adress>/auth/saml/sp/saml2-acs.php/default-sp';
189: // 
$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/'
 . $this->authId));
190: $ar->setAssertionConsumerServiceURL($myPath); 

***
Proper solution would be patching appropriate classes/methods. Just a quick 
info where:

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php
189: 
$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/'
 . $this->authId));

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Module.php
180: $url = \SimpleSAML\Utils\HTTP::getBaseURL().'module.php/'.$resource

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Utils/HTTP.php
509: $baseURL = $globalConfig->getString('baseurlpath', 'simplesaml/');

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1707535

Title:
  SAML problem with ACS endpoints

Status in Mahara:
  In Progress

Bug description:
  ACS expects SAML to be run in a modular way and so expects
  module.php/saml/sp/ path to exist.

  We need to capture the return to that path and redirect it to our
  correct path.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1707535/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to