Issue with SAML Single Signon with Active Directory ADFS

To be completed by the original poster:

CMS Version

2.3.0 (docker based)

Player Type

Windows

Player Version

2.0.200

Issue

We are trying to configure SSO with ADFS and have followed the official guide: SAML Single Signon with Active Directory ADFS. I have also configured Xibo to use HTTPS.

I am able to sign in to Xibo with ADFS, but when logged in we get the following generic error
image

The user is not created in Xibo as it should. No errors are logged on the ADFS server. In Xibo I have turned on debug logging level and put the server i test mode, in the logs I can see the following entries

“SAML SSO failed: invalid_response. Last Reason: Signature validation failed. SAML Response rejected#0 [internal function]: Xibo\Middleware\SAMLAuthentication->Xibo\Middleware{closure}()
#1 /var/www/cms/vendor/slim/slim/Slim/Route.php(468): call_user_func_array(Object(Closure), Array)
#2 /var/www/cms/vendor/slim/slim/Slim/Slim.php(1355): Slim\Route->dispatch()
#3 /var/www/cms/vendor/slim/slim/Slim/Middleware/Flash.php(85): Slim\Slim->call()
#4 /var/www/cms/vendor/slim/slim/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call()
#5 /var/www/cms/lib/Middleware/Actions.php(150): Slim\Middleware\MethodOverride->call()
#6 /var/www/cms/lib/Middleware/Theme.php(36): Xibo\Middleware\Actions->call()
#7 /var/www/cms/lib/Middleware/SAMLAuthentication.php(414): Xibo\Middleware\Theme->call()
#8 /var/www/cms/lib/Middleware/CsrfGuard.php(63): Xibo\Middleware\SAMLAuthentication->call()
#9 /var/www/cms/lib/Middleware/State.php(121): Xibo\Middleware\CsrfGuard->call()
#10 /var/www/cms…”

Followed by these entries

SAML SSO failed: invalid_response. Last Reason: Signature validation failed. SAML Response rejected Exception Type: OneLogin\Saml2\Error

Loading error template error-onelogin-saml2-error

UserOption navigationMenuPosition not found

Has anyone successfully configured Xibo with ADFS or encountered similar erros? Members of our Active Directory team did not have any helpful suggestions as they are unfamiliar with Xibo.

I really appreciate any tips on how to further troubleshoot or possible solutions, I am fairly new to this. Let me know if more information is needed. Since I am a new user I am unable to upload the settings-custom.php, but I have shared it on my Google drive: settings-custom.php

It means that the certificate you’ve got in your settings-common.php file doesn’t match the one that your IdP is using.

You need to export the token signing certificate again in X509 format, and ensure you put it in your settings-custom.php file under idp -> x509cert. It should all be on one line, without the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, with no spaces or carriage returns.

It turns out that our ADFS-server had two certificates for token signing, and I had been using the wrong one. As soon as I updated to the correct certificate the log in worked like a charm.

Thank you for your quick help! :smiley:

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.