cHash error on redirect

[Jashi]

Hi,
this is possibly more of a question than a bug: I used the default configuration like documented in the readme. This did not work with an IPD that signs requests and I had to go dig around in the code to figure out that I need to enable authnRequestsSigned and generate the certificate with the same algorithm as is set in the IDP.
Now I get redirected back to the login page in TYPO3 but receive the error

The page did not exist or was inaccessible. Reason: Request parameters could not be validated (&cHash empty)

and I am not logged in at TYPO3 (probably because of the error).

Seeing as the called URL is

/login?loginProvider=1648123062&login-provider=md_saml&login_status=login&acs&logintype=login

that seems to make sense to me, so what am I missing to make this work?

Best regards,
Christiane

[cdaecke]

Hm, the return URL looks Ok. This shouldn’t throw the cHash error.

[Jashi]

If it helps, this is my current config and I connected with Windows ADFS and keycloak and got the error with both:

md_saml:
  mdsamlSpBaseUrl: https://xxxx.de:8046
  fe_users:
    active: true
    createIfNotExist: true
    updateIfExist: true
    databaseDefaults:
      pid: 236
      usergroup: 1
    saml:
      sp:
        entityId: '/login?loginProvider=1648123062&mdsamlmetadata'
        assertionConsumerService:
          url: '/login?loginProvider=1648123062&login-provider=md_saml&login_status=login&acs&logintype=login'

  saml:
    debug: true
    idp:
      entityId: 'URL'
      singleSignOnService:
        url: 'URL'

      singleLogoutService:
        url: 'URL'
      x509cert: '%env(SAML_IDP_CERTIFICATE)%'  
    sp:
      x509cert: '%env(SAML_SP_CERTIFICATE)%'
      privateKey: '%env(SAML_SP_PRIVATE_KEY)%'  
    security:
      authnRequestsSigned: true 

And I get one error in my log:

Core: Exception handler (WEB: BE): OneLogin\Saml2\Error, code #8, file /var/www/app/vendor/onelogin/php-saml/src/Saml2/Auth.php, line 256: SAML Response not found, Only supported HTTP_POST Binding- Error: SAML Response not found, Only supported HTTP_POST Binding, in file /var/www/app/vendor/onelogin/php-saml/src/Saml2/Auth.php:256
but I'm not sure when exactly in the whole process this is thrown because an echo/var_export/die in that line is never called.

[cdaecke]

Are you using a custom site set or is the above config added directly in your site config? I am asking, because env vars are currently only working, if the configuration is added in the site config directly.

Your error indicates, that the ADFS server is not correctly posting the response data to the website. Maybe check the log of the ADFS server as well?

[Jashi]

The env vars are working - I see the result in the BE. Is it possible, that the login on ADFS side does not work because it removes the query params? Can I just remove those from my entityId and set it to /login ?

[cdaecke]

No, without the query params in the return url, the login will not work.

Are you still struggling with the cHash? If so, you could try this: #45 (comment)

[Jashi]

No, I'm struggling with the fact, that I was told ADFS cannot read the queryParams I'm sending in the id, so I need to set an ID without query params. If you say that doesn't work, I have no idea how people are using this extension with ADFS then.

[cdaecke]

I am not sure, what you mean with "ADFS cannot read the queryParams". I am using an ADFS without problems. Did you follow the instructions for configuring the ADFS server here?

Here is a screenshot of my ADFS configuration:

[Jashi]

I can't configure the ADFS - our customer does that. I can send them the instructions again, but they told me the queryParams don't work and have to go.
I guess we can close this then as it seems to be a problem with ADFS configuration?

[cdaecke]

As said, I am using ADFS without any problems.

Did you send them the meta data, which you get when calling /typo3/index.php?loginProvider=1648123062&mdsamlmetadata&loginType=frontend?

[Jashi]

Yes, I did and the authentification did not work. Then they told me that the ADFS is trying to use /login, so the conlusion seems to be that parameters don't work.

You saif I have to use the URL from your example but is there really no way to rewrite it to one without parameters? Where in the extension do you send the request to ADFS?

[Jashi]

OK, status update. I changed the entityId to something random without params and the login works. The login only works for TYPO3 though - not ADFS. And I haven't found the place where the redirect to logout from ADFS is triggered. Could you possibly help me out there? Did I miss something in the documentation or is that not part of the extension?

[cdaecke]

You saif I have to use the URL from your example but is there really no way to rewrite it to one without parameters? Where in the extension do you send the request to ADFS?

The request is sent by the underlaying onelogin/php-saml library.

Sending parameters to ADFS:

md_saml/Classes/Authentication/SamlAuthService.php

Lines 359 to 360 in 5738d20

	$auth = new Auth($this->extSettings['saml']);
	$auth->login();

Reciving parameter from ADFS:

md_saml/Classes/Authentication/SamlAuthService.php

Lines 261 to 263 in 5738d20

	if (isset($_REQUEST['acs'])) {
	$auth = new Auth($this->extSettings['saml']);
	$auth->processResponse();

OK, status update. I changed the entityId to something random without params and the login works. The login only works for TYPO3 though - not ADFS.

That's, correct, if you do not send the correct parameters, the ADFS login will not be triggered.

And I haven't found the place where the redirect to logout from ADFS is triggered.

The logout will be triggered here:

md_saml/Classes/Middleware/SlsSamlMiddleware.php

Lines 52 to 61 in 5738d20

	public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
	{
	if (
	isset($_REQUEST['loginProvider'])
	&& (int)$_REQUEST['loginProvider'] === 1648123062
	&& isset($_REQUEST['sls'])
	) {
	$extSettings = $this->settingsService->getSettings($this->context);
	$auth = new Auth($extSettings['saml'], true);
	$auth->processSLO(cbDeleteSession: fn() => $this->performLogoff($request));