we are testing eduVPN and would add SAML Auth.
After installing php-saml-sp and adding all metadata (to idp and sp) eveything is working. But if we enable Encryption php-saml-sp shows following error:
"Error 500 - Internal Server Error Error Message Q: "/samlp:Response/saml:EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:EncryptionMethod/ds:DigestMethod/@Algorithm": expected exactly 1 DOMElement, got 0 "
We use php 7.4 openssl module is enabled.
How can we fix this issue?
Which IdP (software) is used? Would it be possible to either provide a "SAML Trace" (https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) or provide access to a test account? You can either wait until the assertion is no longer valid, or provide it by e.g. mail.
We did not test all IdPs, only a subset of them, so it may be we missed some...
Hi thanks for your answer,
we use simplesaml
I generated a SAML Trace, is the mail-address here https://www.tuxed.net/fkooman/about.html the right one?
Thanks for the trace. Whatever the exact error is, for sure it won't work as the encryption is done using "http://www.w3.org/2001/04/xmlenc#aes128-cbc", which is not supported by php-saml-sp for security reasons (it is very broken). We only support aes-256-gcm, so that would have to be fixed. I am not sure whether simpleSAMLphp now supports aes-256-gcm for EncryptedAssertion, but I saw some work on xmlseclib regarding aes-256-gcm.
If you want to have the legacy encryption working I'd recommend using Shibboleth-SP instead of php-saml-sp... See https://github.com/eduvpn/documentation/blob/v2/SAML.md for Shib instructions on Debian and CentOS.
Thanks for the information, we try to update simpleSAMLphp to the latest release and test again. Thank you for your help
just so you know, there still could be a bug in php-saml-sp (or simpleSAMLphp).
At least php-saml-sp does work with Shibboleth IdPs with EncryptedAssertion, but we'll look at that then...