Giters

handnot2 / samly

Elixir Plug library to enable SAML 2.0 SP SSO in Phoenix/Plug applications.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

OneLogin Samly How-to / Guide

sheharyarn opened this issue · comments

commented

Hi, I've successfully set up Samly with Okta and now trying to do the same with OneLogin, but the signin url generated by Samly is causing 500 Internal Server Errors on OneLogin. Was wondering if I was doing something wrong because there aren't 3rd party platform specific guides available for Samly.

Visiting http://myapp.com/sso/auth/signin/onelogin redirects to this massive URL:

https://slab-dev.onelogin.com/trust/saml2/http-redirect/sso/729a675b-80b0-4bc5-bf60-79ad18fcd839?SAMLEncoding=urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE&SAMLRequest=lVfZkqNIsv2VtOxHLItdoLSuGgt2EEhiR7yxL2ITO%252Fr6q1RW1a3qmemZeZChcOK4nzjhuEf8%252BY%252B1rl7mpB%252BKtvn6in5BXv%252Fx7c8hqKvuHUxj3hjJbUqG8UXmvr4WMUrSJI4RFIYR5B4lMQRBiMcPe315uGmG9yfw6%252BvUN%252B9tMBTDexPUyfA%252BRu8m0NR37Avy3vXt2EZt9Svk7xHBMCT9%252BOD3%252BiIPw5TIzTAGzfj1FUMw5A3B3zDKQsl3kn4nMP%252F1xfmxmAf29YV7kC%252BaYHxa8nHshncYHqogfIuT%252BUvbJFWbFc2XqK3hsZ%252BGEf7gg8EfM9%252F6JC76JHrYhhamsH2wo8jwjUZC5I0II%252FItTHfIG7UPYpROo5jG968v4AdXtm2GqU56M%252BnnIkpsQ%252F3%252F8EFXfPmg8MHgI%252FCH%252B6GDo08I%252FIPU68v5u1ZM0cRFk%252F29TOHnpOFdsqzz2%252FlkWq%252BfO%252Fn%252BVK3%252F9gH%252BJeyf8K8v%252F4yHd7PIHkpNffJ9a%252BLhk%252FOD8rIsXxb8S9tn8Memw8gefsyJhyL74%252FUnNonlJm2fQzZo2qaIgqq4P7XXkjFv4xdQZW1fjHn9bxyjMIp8OH5L1ugtQonmj1f4d2r%252FtSOE%252BMHwrW775I9%252BCN6GPMDI3XeXRpImfdJEyYttyF9f%252F%252Fib7H7Ot%252FqgGdK2r4ffh%252F%252BRy29qJc382N0uid%252BGH0v6zue%252Fd%252FivVYL%252FmSNXZI%252F0%252Fx8le0jyx29CfXpxgmpKvsnbyl69LhM1Ed2K9dKfRqrRDegSwQ%252FFbJrKlxln96fklH19MvoV%252FDT8lP1z%252BJe8%252BbnPnwgXZe%252B17wl7ZGpv2FVw26O7OhFzis3s4ut3dYj2SnBgQ2ocpbq4dBkyR%252FkppQvvDF0qQkfys6ESCk0M0d04p4eGtcRa3SCdPZccCjyRadSLexvitVlMxBzrueLv990KMEO%252F7VuxWgYOcWFWPkbC0uTLoYyO1XE4OIcUC9SGyfIQ9ghusqAdHvEtGACBO1tRrz2yZOvqjIiwq9TZRK2NX4pYF3lRWVfTQE9OzYoBfz5SByUgoBE%252FxfOcrkg9x8bsbMzWzrjdDNhttB3nTENlzvm42asm5GvQlqNKHPWHDRFRESo3znWgA7W3BApo7ByIpiNeNm7gbhtU5zIXYmh5OcheeeZx7DQz14kt6zAoA%252FaEYvEZLZLLUh2UdgajH5GO25AsCNQWTPnpsMPHcb%252Fyoo3YupnaUmA4EJbR8HgkB2nHnXyX0%252Beuo8pMLE062sQImbzFLPFBBwRXBVCUOOK2Dvd4PHIULhri1QK%252B49zHc%252BsamJgWUnrAfW%252Bt04s8Uz59PlsMHgnkMLP2Auv1LtW5OjOlB4UxIwYPt01xEq5XatoQvE6FTBp2V4o6uG1NleWZDiJSteBV2HkZYifSKPX%252BokZKLWkckt9X%252Fjb4ZkZxQTkK9AGffdvorKZLu3gyAj%252Bf%252BL6Qc9rZjd7QBpoMobvqSnBcFFwmWSi6ewjdFMTdMfM843W9QsZwUkwYi5CvP9P5l%252Fz9SOlDsv1Mb49E9lwwBj8H7Ee3SB%252BFcky%252BabIseBzLAkRnWZ07OT7KtzJ9Ce7gyGTXW34txP2CMEAfBMAxi6YPC6tfOEd%252FpNWiOPadNzRAiwC1eRYssuVW11AUJl%252FSVr4EOpMdHQZEGuscc792sMBdB9%252FibY2RPzHZotqYMIbSNTPq53PlSqB94gaNsfM5xo1ZM%252FSFz55xOQ6M94uLDolJtiEeI%252BEdJMKCrCcOkJqlL9pdX45cHDxt1u82TQIrewfKp%252F%252BLBSrH0gx%252B4Zanb5kD%252BTFwjeHiktfozpsaA548mWVRHjwfdcHvQnGtfuFzePCxPvkw4vNp8ScNLJ%252FrWxbBFPd4LNKrwAHzM66msfgxD92VVOvv65NlVi7%252FqjkvAHBiQUaDj%252Fdsdnj85wFx83ehK9EJRwBX11s1yGzSlqm7bZHlVUXUm4rTCXRuUv9mJOMl74pSY%252FcCgu0qvRNRf6tYa6%252BzUoVZyj6eD%252FS6B0N7Mbs1F%252FjZpVJ2hVEIwgoqNByQLoGy8km%252Fs%252Fcpu3liR6GmH2IEjXSHdNpkvYcSJA27JS16lhXIc1rtHnXLycptZOKly%252FHD8WgNpbJTcKNcyvFEcoiH4nSb7oXbJp1ZvVYeX5aiUlDBHB2JVonscsARMtBVvRlk0EumykTgUhtq5KiocPFwYo6rtVgJMbVieeymVc6kmG1tKYwvCFafW6m3uSMe%252BdO9A8xonpOTXPCq%252F6jOXlLonRsXbZlW%252BgXpWs7yGuYKx5Kzt9riuHgRxEyPyldKxB7n774e5Q5R09a%252BgbTYEYPqkuNDrQXRVQKw2DEEysqTcDAg%252Fwiz1Qp0cZh1Bk4TtDzcBicCUkSd14XIr7PkOR5nRdTpsG%252BpIU8RlJRKwkWptCSak6L4coGQ5Frot2Mrn46gD83mKCAJ7zTcSWWRGCDYNcd9AORYauQI1Wc%252FysQtMKQdbk%252FAg81hmcKw05Gx27mhbqKiaemKcnBCLJdYy3JKAyG9Mm%252Bu2JUFWCdHUuHFqrBSWtDG1tQ7cL8KW0T1ZkrvY7JUt7sq8GmVwE598aawLpPmtoYDHfiItN9X%252BLjeDjN3XpKJs8tF0tDjzb2NamDqsv0oCTwA1r%252BoJc%252B85oFDMJOqz8BR9LNCOBM%252FPhohcZpiNFbKPAzho2yquWl0Tn0Pbh0tYDc%252FsQNrGgLBQ%252BxSJDwLpwot8RIONa7%252BSdxpbPxQjLFIpaoSEcAQilzKTuqkO6S7V%252Bcou3kY3fSJnJkTawY7K3Zikzm3s%252BNQdcl3iyzeiwu9nuBi6s4w37mJiLeWsnQwE83%252BTh24xMkF6WhYlUO4oIHFUN7fpeays%252FiOfyQJJfHyiqZVoCpzqh0UpjYqy429XMWd5VZnujJSK3fDWf%252FxecgB3BqpvNoeRiGm3Kd2tOak0xkQM%252B%252FQXU8UhbFgSnm9Q7eu6cPc5QRrpSF6mevAvHpA9LUlP3YCpWvsjeyqSwiXpAq7HiwfJKhd0I9y1kG8e%252FUClwy97ZBHodWZ2mQZLboBLhONUiLr2ZLN1b42aYEnlmKkJ%252FSaiopP3I8SbngSMLY6N%252BviTNxI%252Fhy0FoJlkJ%252BLVrSOKadkczQDFB7mLGIvSNHsGaIevey2ZyIKLIupYGV3hI4HrNo3DS7QRcXOB9zpaOi8tF24jRQR5vrOlk2rijt5RoRhvGLeZE1XaHmAh4wmI8z6OMT4pOVI23bNEis%252BtiHWjjlSBQ1M0OS0LfGZdaD8FBMF0CjEirLSRboC2ofhthPoJNq5DNWdhLD3UkS%252FCRsZlagW2QexrcvYkM7d1Zrv0Z1YRioGHpqUqmXfUD6iP5vtXxvoT%252BNni4V%252Fbb6%252FNecfN9zj4xIlc%252Be2KqLtRXgcm4Px39%252Bx0C%252Fo01LEb%252Blz6ntSB0UF4rhPhuF5Av%252Fne%252FO3%252FwM%253D&RelayState=XwFpVksFWW8CQfFiC-cOvKsiVBsYFsDc

which returns this 500 error on OneLogin:

image

Here's my config:

config :samly, Samly.Provider,
  service_providers: [
    %{
      id: "myapp",
      entity_id: "urn:myapp.com",
      certfile: "config/dev/saml.crt",
      keyfile: "config/dev/saml.pem",
    }
  ],
  identity_providers: [
    %{
      id: "onelogin",
      sp_id: "myapp",
      base_url: "https://myapp.com/sso",
      metadata_file: "path/to/onelogin_idp.xml",
      use_redirect_for_req: true,
      allow_idp_initiated_flow: true,
      allowed_target_urls: nil
    }
  ]

OneLogin configs:

image

Screen Shot 2020-03-27 at 8 55 00 PM

commented

Turns out the issue was with use_redirect_for_req: true. Removing this config fixed it, but now getting access_denied :invalid_relay_state from Samly.

I checked the request and response with SAML-tracer and it shows the correct relay state being returned. Any thoughts @handnot2?

samly-invalid-relay-state

commented

Had to fork samly and put logs throughout the code to figure out what I was doing wrong (Hint: Was calling the login url on a different subdomain and consuming the response on a different subdomain, because of which the relay state was null on the other subdomain's session).

#13 is definitely a good idea, hope that's added some day. In the mean time, I'll try to contribute a detailed step-by-step guide for adding OneLogin integration with Samly. For now closing the issue.

Thanks for the library!

commented

Adding the working configuration in OneLogin for the Samly HowTo project configured for subdomains. I hope this helps the next user which struggles to get it right :)

image

image

commented

Hello @sheharyarn . I'm having the same issue as the one you addressed here. Can you take a look to a post I've created on Elixir Forum?

Any help would be appreciated.

Cheers.