Improve error reporting in dev mode

[handnot2]

No description provided.

[daxhuiberts]

I'm trying to get OneLogin SAML authentication to work with the samly howto app. I got the flow from SP -> idP -> SP working and see a SAML AuthN Request and a SAML Response data in SAML tracer, but the consume endpoint responds with a 403 error without any more details.

What is the best way to debug this further in its current state?

[dereksweet]

I am having the same issue. 403 from consume endpoint, no information as to why.

[handnot2]

What is the error/reason you see in the browser window? You will find something like: "access_denied ".

samly/lib/samly/sp_handler.ex

Line 56 in 0322810

{:error, reason} -> conn |> send_resp(403, "access_denied #{inspect(reason)}")

Check to make sure that the base_url and entity_id are setup correct in the identity_providers config setting. If base_url is not setup correct you might see bad_recipient. Check entity_id if you get bad_audience.

[dereksweet]

I did get it working eventually. I did go through bad_assertion and bad_recipient errors but eventually got it all figure out. The only way I was able to get there, though, was by editing my local copy of the samly code and recompiling it and spitting out error messages to the logs. It would be great if there was a debug mode that could be turned on that would output some extra lines to the log when things fail. But it's wokring great now! THanks for the awesome tool. Appreciate it

[handnot2]

Adding the following as a reference:

Common Errors

access_denied {:error, :bad_recipient} - Check the base_url in your Samly
config setting under indentity_providers.

access_denied {:error, :bad_audience} - Make sure that the entity_id in
the Samly config setting is correct.

access_denied {:envelope, {:error, :cert_no_accepted}} - Make sure the
Identity Provider metadata XML file you are using in the Samly config setting
is correct and corresponds to the IdP you are attempting to talk to. You get
this error if the certificate used by the IdP to sign the SAML responses
has changed and you don't have the updated IdP metadata XML file on the Samly end.

[cmatheson]

i'm getting the :bad_recipient error, but i don't have a base_url configured for samly (i'm letting it derive the base_url). Is there any way to get more details about what is going wrong?

[cmatheson]

it seems that the functionality that derives base_url is broken (or the documentation is wrong). Explicitely setting base_url to https://example.com/sso fixed it for me.

[daya]

Any solution to this problem of access_denied :bad_assertion from consume endpoint? Its very frustrating to not have any debug info.

BTW, RelayState is being passed and matches on both side, so what gives?

[daya]

@dereksweet what did u do to get it working ?

[dereksweet]

@dereksweet what did u do to get it working ?

@daya It's been a while and we have long since abandoned our SAML integration and used a third party solution instead. However, if I remember correctly it was just a configuration issue that once I forked the code and put in my own debugging messages through the Samly code I was able to quickly decipher which config setting was not correct.

[daya]

Any solution to this problem of access_denied :bad_assertion from consume endpoint? Its very frustrating to not have any debug info.

BTW, RelayState is being passed and matches on both side, so what gives?

@handnot2 any insights into this? for an elixir n00b what kind of debugging tools should I use to figure out why access_denied :bad_assertion is returned.

[sheharyarn]

Bump, anyone else find how to debug this? Also getting the same access_denied :bad_recipient error.

[manzanit0]

Referencing an example of working configuration for OneLogin as an identity provider, in case somebody finds it useful: #52 (comment)