How to debug SAML issue?

kgup · April 9, 2018, 6:49am

Hello dear Community,

we are trying to implement saml in our instance and after initial problems we got to the error message "No attributes could be mapped ".

How can we debug this? The saml servers log tell us that the attributes are provided.

Greetings
Karl

alex · April 9, 2018, 10:42am

There are various browser extentions for Chrome that will log the SAML messages exchanged. For example, https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en

If it’s telling you that no attributes could be mapped, it suggests that the SAML config you have in Xibo mapping the IdP attributes to Xibo attributes don’t match up with what is actually being returned by the IdP.

kgup · April 10, 2018, 8:00am

Thanks for the reply.

Sadly the logging turned out to be a dead end, since the data is encrypted and as far as I can tell there is a one time key used in this process.

Is there no way to log the response before xibo tries to map it?

alex · April 10, 2018, 8:02am

You would likely need to make a code change to log what you need. The routine that maps attributes is here:

github.com

xibosignage/xibo-cms/blob/develop/lib/Middleware/SAMLAuthentication.php#L134


    throw new \OneLogin_Saml2_Error(
        'SAML SSO failed: '.implode(', ', $errors) . '. Last Reason: ' . $auth->getLastErrorReason()
    );
} else {
    $samlAttrs = $auth->getAttributes();


    if (empty($samlAttrs)) {
        throw new AccessDeniedException(__('No attributes retrieved from the IdP'));
    }


    // Convert the SAML Attributes into userData mapped against the workflow mappings.
    $userData = array();
    if (isset($samlSettings['workflow']) && isset($samlSettings['workflow']['mapping'])) {
        foreach ($samlSettings['workflow']['mapping'] as $key => $value) {
            if (!empty($value) && isset($samlAttrs[$value]) ) {
                $userData[$key] = $samlAttrs[$value];
            }
        }
    }


    if (empty($userData)) {

kgup · April 10, 2018, 11:08am

Thanks,

I was able to find the issue with a log output of $samlAttrs:

Array
(
    [urn:oid:2.5.4.3] => Array
        (
            [0] => uname
        )

    [urn:oid:0.9.2342.19200300.100.1.3] => Array
        (
            [0] => uname@doma.in
        )

)

Instead of CN and EMAIL I got those strings which are appereantly identifiers for the content type.

After switching that out SSO with our Shibboleth instance is working.

Thanks for the support.