Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OneLogin Samly How-to / Guide #52

Closed
sheharyarn opened this issue Mar 27, 2020 · 4 comments
Closed

OneLogin Samly How-to / Guide #52

sheharyarn opened this issue Mar 27, 2020 · 4 comments

Comments

@sheharyarn
Copy link

Hi, I've successfully set up Samly with Okta and now trying to do the same with OneLogin, but the signin url generated by Samly is causing 500 Internal Server Errors on OneLogin. Was wondering if I was doing something wrong because there aren't 3rd party platform specific guides available for Samly.

Visiting http://myapp.com/sso/auth/signin/onelogin redirects to this massive URL:

https://slab-dev.onelogin.com/trust/saml2/http-redirect/sso/729a675b-80b0-4bc5-bf60-79ad18fcd839?SAMLEncoding=urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE&SAMLRequest=lVfZkqNIsv2VtOxHLItdoLSuGgt2EEhiR7yxL2ITO%252Fr6q1RW1a3qmemZeZChcOK4nzjhuEf8%252BY%252B1rl7mpB%252BKtvn6in5BXv%252Fx7c8hqKvuHUxj3hjJbUqG8UXmvr4WMUrSJI4RFIYR5B4lMQRBiMcPe315uGmG9yfw6%252BvUN%252B9tMBTDexPUyfA%252BRu8m0NR37Avy3vXt2EZt9Svk7xHBMCT9%252BOD3%252BiIPw5TIzTAGzfj1FUMw5A3B3zDKQsl3kn4nMP%252F1xfmxmAf29YV7kC%252BaYHxa8nHshncYHqogfIuT%252BUvbJFWbFc2XqK3hsZ%252BGEf7gg8EfM9%252F6JC76JHrYhhamsH2wo8jwjUZC5I0II%252FItTHfIG7UPYpROo5jG968v4AdXtm2GqU56M%252BnnIkpsQ%252F3%252F8EFXfPmg8MHgI%252FCH%252B6GDo08I%252FIPU68v5u1ZM0cRFk%252F29TOHnpOFdsqzz2%252FlkWq%252BfO%252Fn%252BVK3%252F9gH%252BJeyf8K8v%252F4yHd7PIHkpNffJ9a%252BLhk%252FOD8rIsXxb8S9tn8Memw8gefsyJhyL74%252FUnNonlJm2fQzZo2qaIgqq4P7XXkjFv4xdQZW1fjHn9bxyjMIp8OH5L1ugtQonmj1f4d2r%252FtSOE%252BMHwrW775I9%252BCN6GPMDI3XeXRpImfdJEyYttyF9f%252F%252Fib7H7Ot%252FqgGdK2r4ffh%252F%252BRy29qJc382N0uid%252BGH0v6zue%252Fd%252FivVYL%252FmSNXZI%252F0%252Fx8le0jyx29CfXpxgmpKvsnbyl69LhM1Ed2K9dKfRqrRDegSwQ%252FFbJrKlxln96fklH19MvoV%252FDT8lP1z%252BJe8%252BbnPnwgXZe%252B17wl7ZGpv2FVw26O7OhFzis3s4ut3dYj2SnBgQ2ocpbq4dBkyR%252FkppQvvDF0qQkfys6ESCk0M0d04p4eGtcRa3SCdPZccCjyRadSLexvitVlMxBzrueLv990KMEO%252F7VuxWgYOcWFWPkbC0uTLoYyO1XE4OIcUC9SGyfIQ9ghusqAdHvEtGACBO1tRrz2yZOvqjIiwq9TZRK2NX4pYF3lRWVfTQE9OzYoBfz5SByUgoBE%252FxfOcrkg9x8bsbMzWzrjdDNhttB3nTENlzvm42asm5GvQlqNKHPWHDRFRESo3znWgA7W3BApo7ByIpiNeNm7gbhtU5zIXYmh5OcheeeZx7DQz14kt6zAoA%252FaEYvEZLZLLUh2UdgajH5GO25AsCNQWTPnpsMPHcb%252Fyoo3YupnaUmA4EJbR8HgkB2nHnXyX0%252Beuo8pMLE062sQImbzFLPFBBwRXBVCUOOK2Dvd4PHIULhri1QK%252B49zHc%252BsamJgWUnrAfW%252Bt04s8Uz59PlsMHgnkMLP2Auv1LtW5OjOlB4UxIwYPt01xEq5XatoQvE6FTBp2V4o6uG1NleWZDiJSteBV2HkZYifSKPX%252BokZKLWkckt9X%252Fjb4ZkZxQTkK9AGffdvorKZLu3gyAj%252Bf%252BL6Qc9rZjd7QBpoMobvqSnBcFFwmWSi6ewjdFMTdMfM843W9QsZwUkwYi5CvP9P5l%252Fz9SOlDsv1Mb49E9lwwBj8H7Ee3SB%252BFcky%252BabIseBzLAkRnWZ07OT7KtzJ9Ce7gyGTXW34txP2CMEAfBMAxi6YPC6tfOEd%252FpNWiOPadNzRAiwC1eRYssuVW11AUJl%252FSVr4EOpMdHQZEGuscc792sMBdB9%252FibY2RPzHZotqYMIbSNTPq53PlSqB94gaNsfM5xo1ZM%252FSFz55xOQ6M94uLDolJtiEeI%252BEdJMKCrCcOkJqlL9pdX45cHDxt1u82TQIrewfKp%252F%252BLBSrH0gx%252B4Zanb5kD%252BTFwjeHiktfozpsaA548mWVRHjwfdcHvQnGtfuFzePCxPvkw4vNp8ScNLJ%252FrWxbBFPd4LNKrwAHzM66msfgxD92VVOvv65NlVi7%252FqjkvAHBiQUaDj%252Fdsdnj85wFx83ehK9EJRwBX11s1yGzSlqm7bZHlVUXUm4rTCXRuUv9mJOMl74pSY%252FcCgu0qvRNRf6tYa6%252BzUoVZyj6eD%252FS6B0N7Mbs1F%252FjZpVJ2hVEIwgoqNByQLoGy8km%252Fs%252Fcpu3liR6GmH2IEjXSHdNpkvYcSJA27JS16lhXIc1rtHnXLycptZOKly%252FHD8WgNpbJTcKNcyvFEcoiH4nSb7oXbJp1ZvVYeX5aiUlDBHB2JVonscsARMtBVvRlk0EumykTgUhtq5KiocPFwYo6rtVgJMbVieeymVc6kmG1tKYwvCFafW6m3uSMe%252BdO9A8xonpOTXPCq%252F6jOXlLonRsXbZlW%252BgXpWs7yGuYKx5Kzt9riuHgRxEyPyldKxB7n774e5Q5R09a%252BgbTYEYPqkuNDrQXRVQKw2DEEysqTcDAg%252Fwiz1Qp0cZh1Bk4TtDzcBicCUkSd14XIr7PkOR5nRdTpsG%252BpIU8RlJRKwkWptCSak6L4coGQ5Frot2Mrn46gD83mKCAJ7zTcSWWRGCDYNcd9AORYauQI1Wc%252FysQtMKQdbk%252FAg81hmcKw05Gx27mhbqKiaemKcnBCLJdYy3JKAyG9Mm%252Bu2JUFWCdHUuHFqrBSWtDG1tQ7cL8KW0T1ZkrvY7JUt7sq8GmVwE598aawLpPmtoYDHfiItN9X%252BLjeDjN3XpKJs8tF0tDjzb2NamDqsv0oCTwA1r%252BoJc%252B85oFDMJOqz8BR9LNCOBM%252FPhohcZpiNFbKPAzho2yquWl0Tn0Pbh0tYDc%252FsQNrGgLBQ%252BxSJDwLpwot8RIONa7%252BSdxpbPxQjLFIpaoSEcAQilzKTuqkO6S7V%252Bcou3kY3fSJnJkTawY7K3Zikzm3s%252BNQdcl3iyzeiwu9nuBi6s4w37mJiLeWsnQwE83%252BTh24xMkF6WhYlUO4oIHFUN7fpeays%252FiOfyQJJfHyiqZVoCpzqh0UpjYqy429XMWd5VZnujJSK3fDWf%252FxecgB3BqpvNoeRiGm3Kd2tOak0xkQM%252B%252FQXU8UhbFgSnm9Q7eu6cPc5QRrpSF6mevAvHpA9LUlP3YCpWvsjeyqSwiXpAq7HiwfJKhd0I9y1kG8e%252FUClwy97ZBHodWZ2mQZLboBLhONUiLr2ZLN1b42aYEnlmKkJ%252FSaiopP3I8SbngSMLY6N%252BviTNxI%252Fhy0FoJlkJ%252BLVrSOKadkczQDFB7mLGIvSNHsGaIevey2ZyIKLIupYGV3hI4HrNo3DS7QRcXOB9zpaOi8tF24jRQR5vrOlk2rijt5RoRhvGLeZE1XaHmAh4wmI8z6OMT4pOVI23bNEis%252BtiHWjjlSBQ1M0OS0LfGZdaD8FBMF0CjEirLSRboC2ofhthPoJNq5DNWdhLD3UkS%252FCRsZlagW2QexrcvYkM7d1Zrv0Z1YRioGHpqUqmXfUD6iP5vtXxvoT%252BNni4V%252Fbb6%252FNecfN9zj4xIlc%252Be2KqLtRXgcm4Px39%252Bx0C%252Fo01LEb%252Blz6ntSB0UF4rhPhuF5Av%252Fne%252FO3%252FwM%253D&RelayState=XwFpVksFWW8CQfFiC-cOvKsiVBsYFsDc

which returns this 500 error on OneLogin:

image

Here's my config:

config :samly, Samly.Provider,
  service_providers: [
    %{
      id: "myapp",
      entity_id: "urn:myapp.com",
      certfile: "config/dev/saml.crt",
      keyfile: "config/dev/saml.pem",
    }
  ],
  identity_providers: [
    %{
      id: "onelogin",
      sp_id: "myapp",
      base_url: "https://myapp.com/sso",
      metadata_file: "path/to/onelogin_idp.xml",
      use_redirect_for_req: true,
      allow_idp_initiated_flow: true,
      allowed_target_urls: nil
    }
  ]

OneLogin configs:

image

Screen Shot 2020-03-27 at 8 55 00 PM
@sheharyarn
Copy link
Author

Turns out the issue was with use_redirect_for_req: true. Removing this config fixed it, but now getting access_denied :invalid_relay_state from Samly.

I checked the request and response with SAML-tracer and it shows the correct relay state being returned. Any thoughts @handnot2?

samly-invalid-relay-state

@sheharyarn
Copy link
Author

Had to fork samly and put logs throughout the code to figure out what I was doing wrong (Hint: Was calling the login url on a different subdomain and consuming the response on a different subdomain, because of which the relay state was null on the other subdomain's session).

#13 is definitely a good idea, hope that's added some day. In the mean time, I'll try to contribute a detailed step-by-step guide for adding OneLogin integration with Samly. For now closing the issue.

Thanks for the library!

@manzanit0
Copy link

manzanit0 commented Jun 1, 2021
edited
Loading

Adding the working configuration in OneLogin for the Samly HowTo project configured for subdomains. I hope this helps the next user which struggles to get it right :)

image

image

@manzanit0 manzanit0 mentioned this issue Jun 1, 2021
Open
@silvagustin
Copy link

Hello @sheharyarn . I'm having the same issue as the one you addressed here. Can you take a look to a post I've created on Elixir Forum?

Any help would be appreciated.

Cheers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sheharyarn @silvagustin @manzanit0