Mahara

Bug #1707535
Comment #6

Comment 6 for bug 1707535

Revision history for this message

Karol Flis (kflis) wrote on 2017-08-11:

Going to re-paste my original post, in hope someone might find it useful.

I have encountered this issue today and hotfixed it for myself. Maybe it will help someone.
Please read below for hotfix solution and proposed more approppriate solution:

Mahara 17.04.2
Problem lies in including origin simplesalmphp repository auth/saml plugin without any changes whatsoever.

However simplesamlphp as it stands is using its way to generate URLs for ACS via:

<mahara>/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php
189: $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));

Which results in wrong AssertionConsumerServiceURL generated:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_a976498d2ebe858cc56d486b5af2085ed957f45c5a"
                    Version="2.0"
                    IssueInstant="2017-08-10T13:29:09Z"
                    Destination="https://<idp_url>/idp/profile/SAML2/Redirect/SSO"
                    AssertionConsumerServiceURL="https://<mahara_adress>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://<mahara_adress>/mahara</saml:Issuer>
</samlp:AuthnRequest>

Proper one should be the one you are getting when generating SP Metadata via Mahara/auth/saml plugin here:
https://<mahara_adress>/auth/saml/sp/metadata.php?output=xhtml

Which in this case equals to:
https://<mahara_adress>/auth/saml/sp/saml2-acs.php/default-sp

***
Hotfix was to hardcode proper AssertionConsumerServiceURL in:

<mahara>/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php

188: $myPath = 'https://<mahara_adress>/auth/saml/sp/saml2-acs.php/default-sp';
189: // $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
190: $ar->setAssertionConsumerServiceURL($myPath);

***
Proper solution would be patching appropriate classes/methods.
Just a quick info where these urls gets built:

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php
189: $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Module.php
180: $url = \SimpleSAML\Utils\HTTP::getBaseURL().'module.php/'.$resource

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Utils/HTTP.php
509: $baseURL = $globalConfig->getString('baseurlpath', 'simplesaml/');