Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authsource must be of type saml:SP #100

Open
obdeijn opened this issue Oct 23, 2024 · 6 comments
Open

Authsource must be of type saml:SP #100

obdeijn opened this issue Oct 23, 2024 · 6 comments

Comments

@obdeijn
Copy link

obdeijn commented Oct 23, 2024

The README and the provided documentation in https://github.com/cirrusidentity/simplesamlphp-module-authoauth2/blob/master/docs/GOOGLE.md seem to suggest that you can configure an Oauth2 or OpenIDConnect provider directly in authsources.php. This is what we did when we were using SimpleSaml < 2.0 and it worked fine. When I try this now, when upgrading to SimpleSaml 2.3.0 and authoauth2 4.1.0, I get the following error:

SimpleSAML\Error\Exception: Authsource must be of type saml:SP

It seems that this is not an accepted way of configuring an IdP anymore. See also the discussion in simplesamlphp/simplesamlphp#2143 and the documentation in https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html

So it seems to me that the latest version of authoauth2 and the provided documentation is not compatible with SimpleSaml >= 2.0
@pradtke
Copy link
Contributor

pradtke commented Oct 23, 2024

Hi @obdeijn ,

We are using the module with SSP 2.3.0.
Perhaps you can provide more details on how you are using it?

@obdeijn
Copy link
Author

obdeijn commented Oct 24, 2024

Thanks for you reply @pradtke. I am using the Filesender project (https://github.com/filesender/filesender) which relies on SSP for authentication. I am running it in a Docker container. I have this in the Dockerfile to install the authoauth2 module:

    composer config --no-plugins allow-plugins.simplesamlphp/composer-module-installer true && \
    composer require cirrusidentity/simplesamlphp-module-authoauth2:v4.1.0 && \

In config/config.php of SSP I have this:

    'module.enable' => [
        'exampleauth' => false,
        'core' => true,
        'admin' => true,
        'authoauth2' => true
    ],

In config/authsources.php of SSP I have this:

$auth = array(
    'authoauth2:OpenIDConnect',
    'issuer' => $oidcIssuer,
    'clientId' => $oidcClientId,
    'clientSecret' => $oidcClientSecret,
    'urlAuthorizeOptions' => array(
        'scope' => 'openid profile email',
    ),
);

$config = array(
    'admin' => array(
        'core:AdminPassword',
    ),
    'myAuthProvider' => $auth,
);

Is this also how you do it, or am I missing something?

@obdeijn
Copy link
Author

obdeijn commented Nov 4, 2024

@pradtke have you had a chance to look into this?

@syphernl
Copy link

syphernl commented Dec 4, 2024

Experiencing the same problem with SimpleSamlPHP v2.3.5 / v5.0.0-beta.1 of this module.

@pradtke
Copy link
Contributor

pradtke commented Dec 5, 2024

Based on those links @obdeijn , this is an issue with FileSender and SSP 2, not with this module itself. It seems like FileSender is generating a login url (using an SSP api) that SSP2 no longer supports for non-saml SP. We do not use FileSender so have not run into this issue.

I believe @monkeyiq is working on an example project for how to work around this at https://github.com/monkeyiq/sspsmall

The basic workaround is to make an idp in saml20-hosted-idp that uses (from your example) myAuthProvider as the authsource. Then you would add an SP authsource to authsources.php that used the idp, and lastly you would use that SP authsource with filesender. The difficulty level of the above is highly dependent on if you are already familiar with those parts of SSP. This approach also allows you to run any authproc filters from SSP

I'm not familiar with the FileSender login process, but for our own apps we just call the login method directly on the SSP Simple auth class implementation.

@monkeyiq
Copy link

I am coming in on the other side, knowledge of FileSender and SSP but not of this module. I have seen the

SimpleSAML\Error\Exception: Authsource must be of type saml:SP

message, specifically when an attempt was made to pass an access method to the Simple API of SSP. In the 1.x days SSP would accept that and authenticate with the access method and return. In 2.x of SSP I have found that there are some checks in place to make sure you come in as an SP in the simple API. If you try to put something like sqlauth:PasswordVerify in the authsources.php and pass that entitiy to the simple API you will likely get this error.

I made sspsmall to try to help folks get around that must be SP error when they are not so familiar with SAML/SSP. The sspsmall is still a work in progress and I added a second SP for testing SLO which needs to be separated out from a default sspsmall setup.

The README, scripts and config/metadata files in sspsmall should still be informative at this stage about how things want to be setup in order to allow an app, sp, idp, access method flow to complete.

In testing I have also found disabling this exception and creating a small method that is assumed in the SP instance in the auth method class allowed a direct hit on the AM instead of the SP. But that is really untested other than it seems to work on a desktop machine and may cause problems, be insecure, or break in a real world case.

I think the requirement to use the SP was added to avoid people being able to directly access an auth method which is then network exposed. For example folks exposing an LDAP server to the net through a direct auth method setup in SSP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@monkeyiq @obdeijn @syphernl @pradtke