Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ValidationError, No fingerprint or certificate on settings #1

Open
l0rn opened this issue Jun 6, 2018 · 6 comments

Comments

@l0rn
Copy link

commented Jun 6, 2018

The current dev (the version shipped with the official docker distribution of openproject) does not work.

When trying to authenticate with a saml provider the following message occures in the log:

omniauth: (saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, No fingerprint or certificate on settings

Already run pry debugger and indeed the settings object does not contain most of the relevant configurations:

=> #<OneLogin::RubySaml::Settings:0x0000561e3ed63910
 @assertion_consumer_service_binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 @assertion_consumer_service_url="https://project.example.com/auth/saml/callback",
 @attribute_consuming_service=#<OneLogin::RubySaml::AttributeService:0x0000561e3ed62f38 @attributes=[], @index="1">,
 @compress_request=true,
 @compress_response=true,
 @double_quote_xml_attribute_values=false,
 @idp_cert_fingerprint_algorithm="http://www.w3.org/2000/09/xmldsig#sha1",
 @name_identifier_format=nil,
 @security=
  {:authn_requests_signed=>false,
   :logout_requests_signed=>false,
   :logout_responses_signed=>false,
   :want_assertions_signed=>false,
   :want_assertions_encrypted=>false,
   :want_name_id=>false,
   :metadata_signed=>false,
   :embed_sign=>false,
   :digest_method=>"http://www.w3.org/2000/09/xmldsig#sha1",
   :signature_method=>"http://www.w3.org/2000/09/xmldsig#rsa-sha1"},
 @single_logout_service_binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 @soft=true>
[2] pry(#<OmniAuth::Strategies::SAML>)> 

probably the api of the weakly defined dependency ruby-saml or omniauth-saml changed.

@wexstorm

This comment has been minimized.

Copy link

commented Aug 23, 2018

I've got exactly the same problem. Did you find a solution?

@l0rn

This comment has been minimized.

Copy link
Author

commented Sep 2, 2018

My "solution" was to use openconnect instead, which worked fine. this seems to be just broken.

@wexstorm

This comment has been minimized.

Copy link

commented Sep 2, 2018

I ended up with updating the file
ruby-saml-1.6.1/lib/onelogin/ruby-saml/settings.rb (I really know that this is worst practice)
and changing the defaults to my settings. This works flawlessly.

Cheers

@wexstorm

This comment has been minimized.

Copy link

commented Sep 4, 2018

So, as it seems this line
config = DEFAULTS.merge(overrides)
in
ruby-saml/lib/onelogin/ruby-saml/settings.rb
merges the configs but does not add settings from the settings yaml file.

@surtin

This comment has been minimized.

Copy link

commented Nov 30, 2018

Any update on this? Still seems to be an issue with the latest docker containers. End up having to update the ruby-saml/settings.rb default as @wexstorm suggested, or have constant SAML errors.

@oliverguenther

This comment has been minimized.

Copy link
Contributor

commented Jan 25, 2019

Sorry for the late reply, was not getting notifications for issues on this repository. This issue should only arise if your auth provider callback (/auth/:name) (which is the name) attribute in your settings.yml does not match.

Our OmniAuth strategy will try to look up the given provider based on the name in the callback URL, which is why the name must be set in order to find the key.

With that in mind, I can successfully create a response flow with SAML.

Please note that this repository is being integrated into https://github.com/opf/openproject for the next release 8.3., which will include an updated RubySAML opf/openproject#7014

Please create a ticket at https://community.openproject.com and assign it to us if you are continuing to have issues with SAML!

Best,
Oliver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.