response.validate! call fails

[eccegordo]

Hi,

I am trying to use ruby-saml with a custom OmniAuth Strategy. I am using version 0.7.2
In my heroku logs I see

NoMethodError (undefined method `text' for nil:NilClass):

Below is what my OmniAuth callback phase looks like. The failure seems to be around the response.validate! call. Any thoughts on why this is happening? Problem in my code or in ruby-saml? I know I can receive the SAML response if I comment out that

response.validate! 

call. But I am trying to understand the validate method. And specifically what steps I need to take to ensure the SAML assertion my application is receiving is properly signed and trustworthy.

      def callback_phase
        unless request.params['SAMLResponse']
          raise OmniAuth::Strategies::Company::ValidationError.new("SAML response missing")
        end

        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'])
        response.settings = Onelogin::Saml::Settings.new(options)
        @name_id = response.name_id
        @attributes = response.attributes

        if @name_id.nil? || @name_id.empty?
          raise OmniAuth::Strategies::Company::ValidationError.new("SAML response missing 'name_id'")
        end
        response.validate!
        super
      rescue OmniAuth::Strategies::Company::ValidationError
        fail!(:invalid_ticket, $!)
      rescue Onelogin::Saml::ValidationError
        fail!(:invalid_ticket, $!)
      end

      uid { @name_id }
      info do
        {
            :company_id  => @attributes[:"CORP ID"],
            :name  => @attributes[:"Given Name"],
            :email  => @attributes[:"Email Address"],
            :account_type  => @attributes[:"Account Type"],
        }
      end

[eccegordo]

I should add I am getting

<UNDEFINED> ... </>

from

response.document.inspect

[naemono]

Yeah I'm getting the same thing too...

@document=<UNDEFINED>

from response.rb:

@document = XMLSecurity::SignedDocument.new(@response)

The above line is returning nothing...

I get this hex data for @response:

x9DT\xDBn\x9B@\x10\xFD\x15\xC4;,w\eDP\xDDX\x95,\xD5I\x14Gy\xC8K\xB5,\x83M\x03,\xDD]\x1A\xE7\xEF;\v\xF1-M\xDD$\xD2J0\xC3\xCC\xEC\xE1\xCC\x99I%m\xEA.\xB9\x05\xD9\xF1V\x82\xB1\x98_\x98?\xBC \xF2\xC3`\x12X\xD4

Unsure exactly what to do with this.

If it matters, it's ADFS on windows 2012 R2

Anyone have any clues about this?

[pitbulk]

@naemono Can you install the SAML Tracer Firefox Plugin (https://addons.mozilla.org/es/firefox/addon/saml-tracer/) and send as the base64 encoded SAML Response?

[naemono]

Thanks for looking into this.

I assume you're wanting this:

nVVtb5swEP4riO9gQggkFkXLGk2KtLRVU%2fVDv0zGPhJWwJlt1vTf7wzNW9dm7aRIwcfd%2bbnnnjtSzepqQ29Bb2SjwZnPLtwfo2Qk4jBkHozykRfleeLlIhp6ybAoojicQBGOXecelC5lc%2bGGfuA6c61bmDfasMagKRhEXjDxBpO7QUzDMQ1iPxqPH1xnBtqUDTNd5NqYjaaExFE84TwXfrNS8tHnsiasNWtiwRHOqipn%2fNF1Li1Em75VDZVMl5o2rAZNDafL6eI7RSSU9060bfQGeFmUIFxnW1eNpl2t56M3ShrJZeVmaVeR6kPPBzGtQdmK3MxWhAVpLf2tXKlNX4soNEGX3yUHTYxqtUlJnz5L%2bwYsDTOtPj1dSgHOPataOH%2b97rzpsuWYXrsOyVJymnW6A9j3dxzkUT5mhZdEg4kXBdhflrChFxYCgmQ8ZHGYfKyj8cNrHXyOrheS%2f4O2ZZv%2fBG6y9Arzz2fON6lqdkYaA3%2fQWUrhFZ0rhZqV1VQIZUnLFgvZmJWsQT1%2f2UNISZ99fx0qsChttOVyAWYtxT%2fUWNMcmALlvpljxgxzrqS5bq7VtDCgXhM9HB5G5xblvCm7Afjk4FhFvHH7wZqlaBelNWqL5ysgSfBX13swie36%2b6CTYz%2fUXisQMwdcMUaVvL93Z8x%2bMe%2bJKQGNf0T6%2fu3h8SSaHMBiKoMv8taAFTvUSM%2bRzbH96%2bmy8uJrbLr2UaNaso0v1Yo8aRIGwYjgr0QYpjTPhFesrDXpBMJ2Ajkk7UbyPcG88joyHD8fY8V%2bNfuz0x3PTl04CZH%2fJYJCAuaNgO1HR%2frlMmTPwNacni4rHMtbKLKzk8spt35ovsG%2fJ6nEDS5MFBCIO8Vw40plbNPeyHtq3h2PiCD7LbXfX7vPUvYH

This is from the 302 back to my application:

https://tempapplication.com:443/auth/saml/callback?SAMLResponse=base64_string_above&Signature=another_base64_string

[naemono]

I finally figured out what was going on. I was not hitting https://myapp/auth/saml to generate the saml2 request (302 to adfs), but hitting https://myadfs/adfs/ls/idpinitiatedsignon to generate the saml callback, which turned out to be generating saml1 responses, which was causing this error. The documentation is seriously lacking here for ADFS (I'll generate a pull request for omniauth-saml readme) There doesn't seem to be way to force adfs to use saml2 when hitting the idpinitiatedsignon page without this gem creating the proper parameters sent to adfs:

<samlp:AuthnRequest AssertionConsumerServiceURL='https://myapp/auth/saml/callback' Destination='https://myadfs/adfs/ls/idpinitiatedsignon.aspx?logintoRP='myapplication-name' ID='_0d369f40-2268-0132-029b-28cfe9164b7b' IssueInstant='2014-09-19T20:18:32Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://myappname</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/></samlp:AuthnRequest>

Anyways, thanks for the work on this gem...

[Lordnibbler]

thanks for the followup @naemono! going to close this for now.

[alperkokmen]

We were running into this issue as well when validating documents without a signature (//ds:X509Certificate). Even though our code handled OneLogin::RubySaml::ValidationError, this wouldn't be rescued since it's a NoMethodError.

#66 fixes this. Try upgrading to 0.7.3 or higher if you are running into a similar issue.

[tboyko]

Try upgrading to 0.7.3 or higher if you are running into a similar issue.

@alperkokmen Typo? 0.7.2 is the most recent version available.

[alperkokmen]

@tboyko nope, 0.7.3 was a release. It's fairly out-of-date at this point though. I would recommend using the latest version if you can.