SAML Metadata XML not usable

[ChatGPTLover]

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

We are not able to import the bookstack metadata xml (/saml2/metadata) into our IdP.
The IdP reports that the xml file is invalid.

With APP_DEBUG enabled the bookstack error message:

openssl_sign(): Supplied key param cannot be coerced into a private key

It's a installation via the installation script on a clean Ubuntu 22.04 LTS

Exact BookStack Version

v22.11.1

Log Content

#0 [internal function]: Illuminate\Foundation\Bootstrap\HandleExceptions->handleError()
#1 /var/www/bookstack/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php(563): openssl_sign()
#2 /var/www/bookstack/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php(644): RobRichards\XMLSecLibs\XMLSecurityKey->signOpenSSL()
#3 /var/www/bookstack/vendor/onelogin/php-saml/src/Saml2/Auth.php(756): RobRichards\XMLSecLibs\XMLSecurityKey->signData()
#4 /var/www/bookstack/vendor/onelogin/php-saml/src/Saml2/Auth.php(693): OneLogin\Saml2\Auth->buildMessageSignature()
#5 /var/www/bookstack/vendor/onelogin/php-saml/src/Saml2/Auth.php(559): OneLogin\Saml2\Auth->buildRequestSignature()
#6 /var/www/bookstack/app/Auth/Access/Saml2Service.php(50): OneLogin\Saml2\Auth->login()
#7 /var/www/bookstack/app/Http/Controllers/Auth/Saml2Controller.php(28): BookStack\Auth\Access\Saml2Service->login()
#8 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): BookStack\Http\Controllers\Auth\Saml2Controller->login()
#9 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction()
#10 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\Routing\ControllerDispatcher->dispatch()
#11 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\Routing\Route->runController()
#12 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\Routing\Route->run()
#13 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Routing\Router->Illuminate\Routing\{closure}()
#14 /var/www/bookstack/app/Http/Middleware/CheckGuard.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#15 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckGuard->handle()
#16 /var/www/bookstack/app/Http/Middleware/Localization.php(45): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#17 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\Localization->handle()
#18 /var/www/bookstack/app/Http/Middleware/RunThemeActions.php(26): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#19 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\RunThemeActions->handle()
#20 /var/www/bookstack/app/Http/Middleware/CheckEmailConfirmed.php(47): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#21 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckEmailConfirmed->handle()
#22 /var/www/bookstack/app/Http/Middleware/PreventAuthenticatedResponseCaching.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#23 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\PreventAuthenticatedResponseCaching->handle()
#24 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#25 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle()
#26 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#27 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\View\Middleware\ShareErrorsFromSession->handle()
#28 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#29 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\Session\Middleware\StartSession->handleStatefulRequest()
#30 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Session\Middleware\StartSession->handle()
#31 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#32 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle()
#33 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#34 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\EncryptCookies->handle()
#35 /var/www/bookstack/app/Http/Middleware/ApplyCspRules.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#36 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\ApplyCspRules->handle()
#37 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#38 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\Pipeline\Pipeline->then()
#39 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\Routing\Router->runRouteWithinStack()
#40 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\Routing\Router->runRoute()
#41 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\Routing\Router->dispatchToRoute()
#42 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\Routing\Router->dispatch()
#43 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}()
#44 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#45 /var/www/bookstack/app/Http/Middleware/TrustProxies.php(41): Illuminate\Http\Middleware\TrustProxies->handle()
#46 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\TrustProxies->handle()
#47 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#48 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle()
#49 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\TrimStrings->handle()
#50 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#51 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle()
#52 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#53 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle()
#54 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#55 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\Pipeline\Pipeline->then()
#56 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter()
#57 /var/www/bookstack/public/index.php(53): Illuminate\Foundation\Http\Kernel->handle()
#58 {main}

PHP Version

8.1.2

Hosting Environment

Ubuntu 22.04 LTS, via Installation Script

[ssddanbrown]

Hi @ChatGPTLover,

The error log provided looks to be specific to a long request, rather than metadata request, in which case a login error may be expected if things are not set-up yet.

In regards to the metadata:

• Do you see valid XML when visiting the /saml2/metadata endpoint of your BookStack instance?
• Does your IdP provide any detail apart from it just being "invalid".
• Are you able to confirm the IdP system being used?

[ChatGPTLover]

Hi @ssddanbrown

Yes i see a valid XML when visiting the /saml2/metadata

The IdP (Microsoft ADFS) provides:
There was an error deserializing the security key identifier clause XML

The IdP works for all other SP except BookStack.

[ssddanbrown]

@ChatGPTLover Alrighty, should work for ADFS, many other users using SAML with ADFS.
Out of the bookstack config values below, can you confirm what you have set and the values used (Where possible to share):

• SAML2_AUTOLOAD_METADATA
• SAML2_IDP_SSO
• SAML2_IDP_SLO
• SAML2_IDP_x509
• SAML2_IDP_AUTHNCONTEXT
• SAML2_SP_x509
• SAML2_SP_x509_KEY

[ChatGPTLover]

@ssddanbrown

• SAML2_IDP_ENTITYID=https://adfs url/federationmetadata/2007-06/federationmetadata.xml

• SAML2_AUTOLOAD_METADATA -> true | false (tested both)

• SAML2_IDP_SSO -> https://adfs url/adfs/ls

• SAML2_IDP_SLO -> outcommented

• SAML2_IDP_x509 -> ADFS Token cert data

• SAML2_IDP_AUTHNCONTEXT -> true

• SAML2_SP_x509 -> empty

• SAML2_SP_x509_KEY ->empty

[ssddanbrown]

Okay, Let's focus on using autoloading since the errors you've reports seem certificate related, let's work around that for now.

Are you able to access the SAML2_IDP_ENTITYID value in your browser and see valid XML?

If so, can you comment-out or remove the SAML2_IDP_SSO, SAML2_IDP_SLO, SAML2_IDP_x509, SAML2_SP_x509andSAML2_SP_x509_KEY` options in your config.

Then, attempt to import the metadata again and confirm if you still get the openssl_sign(): Supplied key param cannot be coerced into a private key error or if you get a different error.

[ssddanbrown]

Since there's been no follow-up I'm going to close this. If the issue remains and is something you still require to be fixed respond to my previous comment and this can then be re-opened.