SAML problem with ACS endpoints

Hmm, seems I cannot edit commetns?
Could you please remove IdP URL in <samlp:AuthnRequest>, it is publicly available, however I didn't intend to paste it here.

Hi Karol,

I'm not able to edit your comment but I can hide it

There is a fix for this problem
https://reviews.mahara.org/#/c/7873/

That allows the SAML auth to function as a module and so the AssertionConsumerServiceURL return path gets redirected internally to the correct place

Cheers

Robert

Lovely! Thanks for letting me know.

Hi Robert.

Thanks for the link to the fix, but while it's looking cool and dandy - it doesnt work. I have posted a note here:
https://reviews.mahara.org/#/c/7873/2

Going to re-paste my original post, in hope someone might find it useful.

I have encountered this issue today and hotfixed it for myself. Maybe it will help someone.
Please read below for hotfix solution and proposed more approppriate solution:

Mahara 17.04.2
Problem lies in including origin simplesalmphp repository auth/saml plugin without any changes whatsoever.

However simplesamlphp as it stands is using its way to generate URLs for ACS via:

<mahara>/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php
189: $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));

Which results in wrong AssertionConsumerServiceURL generated:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_a976498d2ebe858cc56d486b5af2085ed957f45c5a"
                    Version="2.0"
                    IssueInstant="2017-08-10T13:29:09Z"
                    Destination="https://<idp_url>/idp/profile/SAML2/Redirect/SSO"
                    AssertionConsumerServiceURL="https://<mahara_adress>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://<mahara_adress>/mahara</saml:Issuer>
</samlp:AuthnRequest>

Proper one should be the one you are getting when generating SP Metadata via Mahara/auth/saml plugin here:
https://<mahara_adress>/auth/saml/sp/metadata.php?output=xhtml

Which in this case equals to:
https://<mahara_adress>/auth/saml/sp/saml2-acs.php/default-sp

***
Hotfix was to hardcode proper AssertionConsumerServiceURL in:

<mahara>/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php

188: $myPath = 'https://<mahara_adress>/auth/saml/sp/saml2-acs.php/default-sp';
189: // $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
190: $ar->setAssertionConsumerServiceURL($myPath);

***
Proper solution would be patching appropriate classes/methods.
Just a quick info where these urls gets built:

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php
189: $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Module.php
180: $url = \SimpleSAML\Utils\HTTP::getBaseURL().'module.php/'.$resource

~/svn/Mahara_1/trunk/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Utils/HTTP.php
509: $baseURL = $globalConfig->getString('baseurlpath', 'simplesaml/');

Reviewed: https://reviews.mahara.org/7873
Committed: https://git.mahara.org/mahara/mahara/commit/4d0e9f693745b3c3b1bb47765705e8d64da21d73
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 4d0e9f693745b3c3b1bb47765705e8d64da21d73
Author: Piers Harding <email address hidden>
Date: Thu Jun 29 14:54:47 2017 +1200

Bug 1707535: Auth/SAML - fix ACS endpoints

behatnotneeded

Change-Id: I09c20bd1b030b7976f2128f4476b2a9f4b7c623b