2

I am implementing single sign on using SAML for a web app using simplesamlphp, drupal as the service provider/client and WSO2 identity server as the identity provider.

When I test using the simplesaml portal, I am able to retrieve the user data properly as seen in the screenshots below.

On integrating it with the drupal site...

  • The user gets sent to the identity provider login page for authentication.
  • On successful authentication, they are redirected back to the app however instead of accessing the app, the user is stuck on an endless loop on a single page.
  • Checking the SAML requests and responses / cookies, I see that the SAML responses are being sent back to the client as in the screenshots below. I also see multiple requests back and forth between IDP and SP.

Sample request and response

https://gist.github.com/KalemaEdgar/adad5304ae98bf98d420b2c108b13307

In the screen shots below, color green is the HTTP status code and red shows the item.

Authentication request to the identity provider.

Authentication request and response to/from the identity provider

Authentication response with the data from the identity provider.

Authentication response with the data from the identity provider

Screenshot showing multiple redirects. Page just keeps there and SAMLRequest variable changing.

enter image description here

Screenshot showing the process working fine when I use the simplesaml portal.

The attributes are fetched from the WSO2 identity server

Working fine

Community
  • 1
  • 1
Kalema Edgar
  • 369
  • 5
  • 17
  • What's the version of the Identity Server you are using? – sumedhe Apr 24 '20 at 09:37
  • Identity server is WSO2 Identify server version 5.10.0 – Kalema Edgar Apr 24 '20 at 09:57
  • It seems WSO2 has responded to your application's ACS URL with the SAML response. But instead of reading the SAML response and authenticating the user, your application seems to send out another SAML request to the Identity Server. Since the followup SAML requests are coming with the `commonauthid` cookie (which got created at the first attempt), wso2 considers this as a request from an already authenticate browser and sends a SAML response without asking credentials. To my eyes, you should check the application for `303` redirection reason. – Nipun Thathsara Apr 24 '20 at 19:31
  • @NipunThathsara, I have the 303 HTTP status code as seen in the screenshots. I am just wondering how I can stop the redirection from happening. I think its something around cookies visibility but not so certain – Kalema Edgar Apr 24 '20 at 21:20
  • I believe this is something related to misconfiguration in simplesamlphp (or Drupal). You can check the configs and logs in simplesamlphp (and Drupal) to get more info. – Maduranga Siriwardena May 09 '20 at 12:36

0 Answers0