Reference validation failed Redirecting to https://...

Question

Reference validation failed Redirecting to https://...

msslgomez opened this issue a year ago · comments

Today we started getting this error out of the blue and can no longer log into our systems. I have no idea what could be happening and need help.

This is what we see after attempting to login, it just reloads that over and over.
Reference validation failed Redirecting to https://...

In the logs I also get this errors

local.ERROR: Saml2 error_detail {"error":"Reference validation failed"} 
local.ERROR: Saml2 error {"error":["invalid_response"],"last_error_reason":"Reference validation failed"}

This is the package info
"aacotroneo/laravel-saml2": "^2.1",

I'm using Laravel 9, the super weird thing is this has been working no problems for over 6 months, but today randomly without any changes in our code it stopped working.

I didn't set this up so I'm very unfamiliar to how this works and what to do. Any help is figuring out what is happening and how to fix it would be greatly appreciated. I'm desperate at this point.

Sander Muller · Answer 1 · Wed Jul 26 2023 19:52:26 GMT+0800 (China Standard Time)

We are also getting this issue since about the same time.
It still worked on my machine when running OpenSSL 1.1, PHP 8.2.3 but stopped working when I upgraded my packages (OpenSSL 3, PHP 8.2.5)

I haven't found a fix yet

msslgomez · Answer 2 · Wed Jul 26 2023 23:39:50 GMT+0800 (China Standard Time)

@SanderMuller We managed to get around it by disabling the encryption in one of the config files, I think it was 'encrypt_assertion' that we put that on false. We didn't even update any of our packages, I'm not really sure why ours starting failing.

Tonko Mulder · Answer 3 · Wed Jul 26 2023 23:42:10 GMT+0800 (China Standard Time)

@msslgomez it's indeed the encrypt_assertion option. That's currently our workaround, so that the tests are passing again.
But we're still looking for an actual fix.

// Encrypt requests and responses
'encrypt_assertion' => env('APP_ENV') !== 'testing',

msslgomez · Answer 4 · Wed Jul 26 2023 23:43:49 GMT+0800 (China Standard Time)

@Treggats ours only works as

'encrypt_assertion' => false

Tonko Mulder · Answer 5 · Wed Jul 26 2023 23:46:18 GMT+0800 (China Standard Time)

@msslgomez we are only experiencing problems with our testsuite. So the above snippet sets it to false while the tests are running. So it does not affect the production environment

msslgomez · Answer 6 · Wed Jul 26 2023 23:51:05 GMT+0800 (China Standard Time)

@Treggats Our case was backwards, only affected production we couldn't even reproduce the error not that we wanted to.

Sander Muller · Answer 7 · Thu Jul 27 2023 03:57:58 GMT+0800 (China Standard Time)

@Treggats Our case was backwards, only affected production we couldn't even reproduce the error not that we wanted to.

I didn't have it locally until I updated my PHP and OpenSSL

Navi2016 · Answer 8 · Wed Sep 20 2023 19:43:37 GMT+0800 (China Standard Time)

Could be related to issue:
robrichards/xmlseclibs#257

Happened after upgrading to PHP 8.2.8 from 8.2.7.

For me it also works in 8.2.8 when setting 'encrypt_assertion' => false in the idp.

Both my PHP 8.2.7 and 8.2.8 are using OpenSSL 3.0.8 7 Feb 2023 so i don't think it's in OpenSSL.
Also happens on another server running PHP >= 8.2.8 and OpenSSL 1.1.1k FIPS 25 Mar 2021. (Fine on 8.2.7)