~fkooman/php-saml-sp#3: 
Encryption error 500

Hi,

we are testing eduVPN and would add SAML Auth.

After installing php-saml-sp and adding all metadata (to idp and sp) eveything is working. But if we enable Encryption php-saml-sp shows following error:

"Error 500 - Internal Server Error Error Message Q: "/samlp:Response/saml:EncryptedAssertion/xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:EncryptionMethod/ds:DigestMethod/@Algorithm": expected exactly 1 DOMElement, got 0 "

We use php 7.4 openssl module is enabled.

How can we fix this issue?

Many Thanks

Status
REPORTED
Submitter
~mittring
Assigned to
No-one
Submitted
6 months ago
Updated
6 months ago
Labels
bug

~fkooman 6 months ago

Which IdP (software) is used? Would it be possible to either provide a "SAML Trace" (https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) or provide access to a test account? You can either wait until the assertion is no longer valid, or provide it by e.g. mail.

We did not test all IdPs, only a subset of them, so it may be we missed some...

~mittring 6 months ago

Hi thanks for your answer,

we use simplesaml

I generated a SAML Trace, is the mail-address here https://www.tuxed.net/fkooman/about.html the right one?

~fkooman 6 months ago

Yes!

~mittring 6 months ago

I sent a mail with the SAML Trace

~fkooman 6 months ago

Thanks for the trace. Whatever the exact error is, for sure it won't work as the encryption is done using "http://www.w3.org/2001/04/xmlenc#aes128-cbc", which is not supported by php-saml-sp for security reasons (it is very broken). We only support aes-256-gcm, so that would have to be fixed. I am not sure whether simpleSAMLphp now supports aes-256-gcm for EncryptedAssertion, but I saw some work on xmlseclib regarding aes-256-gcm.

If you want to have the legacy encryption working I'd recommend using Shibboleth-SP instead of php-saml-sp... See https://github.com/eduvpn/documentation/blob/v2/SAML.md for Shib instructions on Debian and CentOS.

~mittring 6 months ago

Thanks for the information, we try to update simpleSAMLphp to the latest release and test again. Thank you for your help

~fkooman 6 months ago

just so you know, there still could be a bug in php-saml-sp (or simpleSAMLphp).

At least php-saml-sp does work with Shibboleth IdPs with EncryptedAssertion, but we'll look at that then...

Register here or Log in to comment, or comment via email.