OneLogin Samly How-to / Guide
sheharyarn opened this issue · comments
Hi, I've successfully set up Samly with Okta and now trying to do the same with OneLogin, but the signin url generated by Samly is causing 500 Internal Server Errors on OneLogin. Was wondering if I was doing something wrong because there aren't 3rd party platform specific guides available for Samly.
Visiting http://myapp.com/sso/auth/signin/onelogin
redirects to this massive URL:
https://slab-dev.onelogin.com/trust/saml2/http-redirect/sso/729a675b-80b0-4bc5-bf60-79ad18fcd839?SAMLEncoding=urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE&SAMLRequest=lVfZkqNIsv2VtOxHLItdoLSuGgt2EEhiR7yxL2ITO%252Fr6q1RW1a3qmemZeZChcOK4nzjhuEf8%252BY%252B1rl7mpB%252BKtvn6in5BXv%252Fx7c8hqKvuHUxj3hjJbUqG8UXmvr4WMUrSJI4RFIYR5B4lMQRBiMcPe315uGmG9yfw6%252BvUN%252B9tMBTDexPUyfA%252BRu8m0NR37Avy3vXt2EZt9Svk7xHBMCT9%252BOD3%252BiIPw5TIzTAGzfj1FUMw5A3B3zDKQsl3kn4nMP%252F1xfmxmAf29YV7kC%252BaYHxa8nHshncYHqogfIuT%252BUvbJFWbFc2XqK3hsZ%252BGEf7gg8EfM9%252F6JC76JHrYhhamsH2wo8jwjUZC5I0II%252FItTHfIG7UPYpROo5jG968v4AdXtm2GqU56M%252BnnIkpsQ%252F3%252F8EFXfPmg8MHgI%252FCH%252B6GDo08I%252FIPU68v5u1ZM0cRFk%252F29TOHnpOFdsqzz2%252FlkWq%252BfO%252Fn%252BVK3%252F9gH%252BJeyf8K8v%252F4yHd7PIHkpNffJ9a%252BLhk%252FOD8rIsXxb8S9tn8Memw8gefsyJhyL74%252FUnNonlJm2fQzZo2qaIgqq4P7XXkjFv4xdQZW1fjHn9bxyjMIp8OH5L1ugtQonmj1f4d2r%252FtSOE%252BMHwrW775I9%252BCN6GPMDI3XeXRpImfdJEyYttyF9f%252F%252Fib7H7Ot%252FqgGdK2r4ffh%252F%252BRy29qJc382N0uid%252BGH0v6zue%252Fd%252FivVYL%252FmSNXZI%252F0%252Fx8le0jyx29CfXpxgmpKvsnbyl69LhM1Ed2K9dKfRqrRDegSwQ%252FFbJrKlxln96fklH19MvoV%252FDT8lP1z%252BJe8%252BbnPnwgXZe%252B17wl7ZGpv2FVw26O7OhFzis3s4ut3dYj2SnBgQ2ocpbq4dBkyR%252FkppQvvDF0qQkfys6ESCk0M0d04p4eGtcRa3SCdPZccCjyRadSLexvitVlMxBzrueLv990KMEO%252F7VuxWgYOcWFWPkbC0uTLoYyO1XE4OIcUC9SGyfIQ9ghusqAdHvEtGACBO1tRrz2yZOvqjIiwq9TZRK2NX4pYF3lRWVfTQE9OzYoBfz5SByUgoBE%252FxfOcrkg9x8bsbMzWzrjdDNhttB3nTENlzvm42asm5GvQlqNKHPWHDRFRESo3znWgA7W3BApo7ByIpiNeNm7gbhtU5zIXYmh5OcheeeZx7DQz14kt6zAoA%252FaEYvEZLZLLUh2UdgajH5GO25AsCNQWTPnpsMPHcb%252Fyoo3YupnaUmA4EJbR8HgkB2nHnXyX0%252Beuo8pMLE062sQImbzFLPFBBwRXBVCUOOK2Dvd4PHIULhri1QK%252B49zHc%252BsamJgWUnrAfW%252Bt04s8Uz59PlsMHgnkMLP2Auv1LtW5OjOlB4UxIwYPt01xEq5XatoQvE6FTBp2V4o6uG1NleWZDiJSteBV2HkZYifSKPX%252BokZKLWkckt9X%252Fjb4ZkZxQTkK9AGffdvorKZLu3gyAj%252Bf%252BL6Qc9rZjd7QBpoMobvqSnBcFFwmWSi6ewjdFMTdMfM843W9QsZwUkwYi5CvP9P5l%252Fz9SOlDsv1Mb49E9lwwBj8H7Ee3SB%252BFcky%252BabIseBzLAkRnWZ07OT7KtzJ9Ce7gyGTXW34txP2CMEAfBMAxi6YPC6tfOEd%252FpNWiOPadNzRAiwC1eRYssuVW11AUJl%252FSVr4EOpMdHQZEGuscc792sMBdB9%252FibY2RPzHZotqYMIbSNTPq53PlSqB94gaNsfM5xo1ZM%252FSFz55xOQ6M94uLDolJtiEeI%252BEdJMKCrCcOkJqlL9pdX45cHDxt1u82TQIrewfKp%252F%252BLBSrH0gx%252B4Zanb5kD%252BTFwjeHiktfozpsaA548mWVRHjwfdcHvQnGtfuFzePCxPvkw4vNp8ScNLJ%252FrWxbBFPd4LNKrwAHzM66msfgxD92VVOvv65NlVi7%252FqjkvAHBiQUaDj%252Fdsdnj85wFx83ehK9EJRwBX11s1yGzSlqm7bZHlVUXUm4rTCXRuUv9mJOMl74pSY%252FcCgu0qvRNRf6tYa6%252BzUoVZyj6eD%252FS6B0N7Mbs1F%252FjZpVJ2hVEIwgoqNByQLoGy8km%252Fs%252Fcpu3liR6GmH2IEjXSHdNpkvYcSJA27JS16lhXIc1rtHnXLycptZOKly%252FHD8WgNpbJTcKNcyvFEcoiH4nSb7oXbJp1ZvVYeX5aiUlDBHB2JVonscsARMtBVvRlk0EumykTgUhtq5KiocPFwYo6rtVgJMbVieeymVc6kmG1tKYwvCFafW6m3uSMe%252BdO9A8xonpOTXPCq%252F6jOXlLonRsXbZlW%252BgXpWs7yGuYKx5Kzt9riuHgRxEyPyldKxB7n774e5Q5R09a%252BgbTYEYPqkuNDrQXRVQKw2DEEysqTcDAg%252Fwiz1Qp0cZh1Bk4TtDzcBicCUkSd14XIr7PkOR5nRdTpsG%252BpIU8RlJRKwkWptCSak6L4coGQ5Frot2Mrn46gD83mKCAJ7zTcSWWRGCDYNcd9AORYauQI1Wc%252FysQtMKQdbk%252FAg81hmcKw05Gx27mhbqKiaemKcnBCLJdYy3JKAyG9Mm%252Bu2JUFWCdHUuHFqrBSWtDG1tQ7cL8KW0T1ZkrvY7JUt7sq8GmVwE598aawLpPmtoYDHfiItN9X%252BLjeDjN3XpKJs8tF0tDjzb2NamDqsv0oCTwA1r%252BoJc%252B85oFDMJOqz8BR9LNCOBM%252FPhohcZpiNFbKPAzho2yquWl0Tn0Pbh0tYDc%252FsQNrGgLBQ%252BxSJDwLpwot8RIONa7%252BSdxpbPxQjLFIpaoSEcAQilzKTuqkO6S7V%252Bcou3kY3fSJnJkTawY7K3Zikzm3s%252BNQdcl3iyzeiwu9nuBi6s4w37mJiLeWsnQwE83%252BTh24xMkF6WhYlUO4oIHFUN7fpeays%252FiOfyQJJfHyiqZVoCpzqh0UpjYqy429XMWd5VZnujJSK3fDWf%252FxecgB3BqpvNoeRiGm3Kd2tOak0xkQM%252B%252FQXU8UhbFgSnm9Q7eu6cPc5QRrpSF6mevAvHpA9LUlP3YCpWvsjeyqSwiXpAq7HiwfJKhd0I9y1kG8e%252FUClwy97ZBHodWZ2mQZLboBLhONUiLr2ZLN1b42aYEnlmKkJ%252FSaiopP3I8SbngSMLY6N%252BviTNxI%252Fhy0FoJlkJ%252BLVrSOKadkczQDFB7mLGIvSNHsGaIevey2ZyIKLIupYGV3hI4HrNo3DS7QRcXOB9zpaOi8tF24jRQR5vrOlk2rijt5RoRhvGLeZE1XaHmAh4wmI8z6OMT4pOVI23bNEis%252BtiHWjjlSBQ1M0OS0LfGZdaD8FBMF0CjEirLSRboC2ofhthPoJNq5DNWdhLD3UkS%252FCRsZlagW2QexrcvYkM7d1Zrv0Z1YRioGHpqUqmXfUD6iP5vtXxvoT%252BNni4V%252Fbb6%252FNecfN9zj4xIlc%252Be2KqLtRXgcm4Px39%252Bx0C%252Fo01LEb%252Blz6ntSB0UF4rhPhuF5Av%252Fne%252FO3%252FwM%253D&RelayState=XwFpVksFWW8CQfFiC-cOvKsiVBsYFsDc
which returns this 500 error on OneLogin:
Here's my config:
config :samly, Samly.Provider,
service_providers: [
%{
id: "myapp",
entity_id: "urn:myapp.com",
certfile: "config/dev/saml.crt",
keyfile: "config/dev/saml.pem",
}
],
identity_providers: [
%{
id: "onelogin",
sp_id: "myapp",
base_url: "https://myapp.com/sso",
metadata_file: "path/to/onelogin_idp.xml",
use_redirect_for_req: true,
allow_idp_initiated_flow: true,
allowed_target_urls: nil
}
]
OneLogin configs:
Turns out the issue was with use_redirect_for_req: true
. Removing this config fixed it, but now getting access_denied :invalid_relay_state
from Samly.
I checked the request and response with SAML-tracer
and it shows the correct relay state being returned. Any thoughts @handnot2?
Had to fork samly
and put logs throughout the code to figure out what I was doing wrong (Hint: Was calling the login url on a different subdomain and consuming the response on a different subdomain, because of which the relay state was null on the other subdomain's session).
#13 is definitely a good idea, hope that's added some day. In the mean time, I'll try to contribute a detailed step-by-step guide for adding OneLogin integration with Samly. For now closing the issue.
Thanks for the library!
Adding the working configuration in OneLogin for the Samly HowTo project configured for subdomains. I hope this helps the next user which struggles to get it right :)
Hello @sheharyarn . I'm having the same issue as the one you addressed here. Can you take a look to a post I've created on Elixir Forum?
Any help would be appreciated.
Cheers.