SAML to CMS behind NGINX unknown route error

Hi,
Am trying to do a new Xibo 2.0.1 setup with Docker and NGINX to reverse proxy HTTPS.
As a test, I’ve setup Xibo on Docker locally on my workstation before I actually deploy this on a proper docker server.

When using a normal logon, this works quite fine. However when I enable SAML, it redirects me to my SAML provider, authenticates just fine, after which it returns back to CMS with the error “unknown route”

In the documentation (https://github.com/onelogin/php-saml#working-behind-load-balancer) it states “You should be able to workaround this by configuring your server so that it is aware of the proxy and returns the original url when requested.”

Could this be the cause of the problem ? If so how can I make CMS aware of its Proxy URL ?

Regards,
Rene

I have the same issue with CMS 2.0.2
created new file named settings-custom.php inside custom folder.

Blockquote <?php
$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = array (
‘workflow’ => array(
‘jit’ => true,
‘field_to_identify’ => ‘UserName’, // Alternatives: UserID, UserName, email
‘libraryQuota’ => 1000,
‘group’ => ‘Users’,
‘homePage’ => ‘dashboard’,
‘slo’ => true,
‘mapping’ => array (
‘UserID’ => ‘’,
‘usertypeid’ => ‘’,
‘UserName’ => ‘username’,
‘email’ => ‘email’,
‘ref1’ => ‘’,
‘ref2’ => ‘’,
‘ref3’ => ‘’,
‘ref4’ => ‘’,
‘ref5’ => ‘’
)
),
// Configure the IdP and SP
‘strict’ => false,
‘debug’ => true,
‘idp’ => array (
‘entityId’ => ‘IDP METADATA’,
‘singleSignOnService’ => array (
‘url’ => ‘IDP LOGIN’,
),
‘singleLogoutService’ => array (
‘url’ => ‘IDP LOGOUT’,
),
‘x509cert’ => ‘CERT’,
),
‘sp’ => array (
‘entityId’ => ‘SP METADATA’,
‘assertionConsumerService’ => array (
‘url’ => ‘SP LOGIN’,
),
‘singleLogoutService’ => array (
‘url’ => ‘SP LOGOUT’,
),
‘NameIDFormat’ => ‘urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress’,
‘x509cert’ => ‘’,
‘privateKey’ > ‘’,
),
‘security’ => array (
‘nameIdEncrypted’ => false,
‘authnRequestsSigned’ => false,
‘logoutRequestSigned’ => false,
‘logoutResponseSigned’ => false,
‘signMetadata’ => false,
‘wantMessagesSigned’ => false,
‘wantAssertionsSigned’ => false,
‘wantAssertionsEncrypted’ => false,
‘wantNameIdEncrypted’ => false,
)
);

I’ve got the same setup, also used the settings-custom.php file. But no luck, and cannot find any way to troubleshoot this either.

@alex is there anything I can look at to troubleshoot the issue ? Since login fails once SAML is enabled I can’t even get to the logs. Am happy to do some digging in the docker containers, but would require a few hints where to look.

Regards,
Rene

You can disable SAML to regain access to the CMS and inspect the logs.

SAML only works over https connections. I’m unsure it works on custom ports as in the post above. I’ve only ever tested it over port 443.

There is no visible error or warning on cms and server side. Everything works normal, user authenticates but can’t redirect to dashboard page.Stops on Unknown Route screen.

I solved it by changing the homePage attribute from “dashboard” to “statusdashboard” but it’s not a real solution.

I think this issue happens because of page id or page name which defined on pagefactory.php and maybe dashboard name or id changed on V2.

Allow the page for the user from user page security settings and then change the saml settings homepage attribute to any page which you redirect user to. Must be different than “dashboard”

I think its a bug and can be good if solved in next release

1 Like

What I can see using SAML tracer is that after doing a successful POST to /saml/acs, it goes to /library/fontcss where it get’s a 302 redirect back to the SAML server.
My feeling is that the problem is in the relaystate parameter that as you can see is giving out the HTTP link to the CMS docker container URL and not to the Nginx HTTPS URL that is fronting that.
After trying a redirect on /library/fontcss 2 times, it will start loading the clock URL after which it finally fails on /saml/acs with a “404 not found” error.

Managed to get to the logs by logging in normally in one browser and then moving settings-custom.php back into the cms/custom folder after which I tried to login in another browser using SAML
The exact error message in the log is:

@alex is this giving anymore info on the source of the problem ? Also see the reference getByName('dashboard") in the error that @bturcan referred to

/saml/acs Unknown Route#0 /var/www/cms/lib/Middleware/SAMLAuthentication.php(229): Xibo\Factory\PageFactory->getByName(‘dashboard’) #1 [internal function]: Xibo\Middleware\SAMLAuthentication->Xibo\Middleware{closure}() #2 /var/www/cms/vendor/slim/slim/Slim/Route.php(468): call_user_func_array(Object(Closure), Array) #3 /var/www/cms/vendor/slim/slim/Slim/Slim.php(1355): Slim\Route->dispatch() #4 /var/www/cms/vendor/slim/slim/Slim/Middleware/Flash.php(85): Slim\Slim->call() #5 /var/www/cms/vendor/slim/slim/Slim/Middleware/MethodOverride.php(92): Slim\Middleware\Flash->call() #6 /var/www/cms/lib/Middleware/Actions.php(150): Slim\Middleware\MethodOverride->call() #7 /var/www/cms/lib/Middleware/Theme.php(36): Xibo\Middleware\Actions->call() #8 /var/www/cms/lib/Middleware/SAMLAuthentication.php(414): Xibo\Middleware\Theme->call() #9 /var/www/cms/lib/Middleware/CsrfGuard.php(63): Xibo\Middleware\SAMLAuthentication->call() #10 /var/www/cms/lib/Middleware/State.php(119): Xibo\Middleware\CsrfGuard->call() #11 /var/www/cms/lib/Middleware/Storage.php(47): Xibo\Middleware\State->call() #12 /var/www/cms/lib/Middleware/Xmr.php(37): Xibo\Middleware\Storage->call() #13 /var/www/cms/vendor/slim/slim/Slim/Slim.php(1300): Xibo\Middleware\Xmr->call() #14 /var/www/cms/web/index.php(127): Slim\Slim->run() #15 {main}

In your SAML config, ‘dashboard’ isn’t valid anymore. You’ll need that to be either

statusdashboard
icondashboard
mediamanager
1 Like

Cool, that worked like a charm !

Changed it to icondashboard and bang ! @alex thanks you for your support ! and @bturcan for pointing this topic in the right direction !

Thanks,
Rene

image