Suitecrm: Updated php-saml library v2.10.2 renders saml broken
Issue
I'm afraid patch in issue #2819 seems to lead to an unparseable saml xml. See the following error I get from SAMLtracer in Firefox:
\
\AssertionConsumerServiceURL=\"https://test.xxx.nl/index.php?action=Login&module=Users">
----------------------------------------------------------------------------------------------^
\
When properly aligned, the arrow points at the question mark after 'index.php'.
I suspect replacing the first " with '\"' is the culprit, as without proper starting and closing quotes the content is seen as part of the xml and is then parsed (which probably doesn't work with characters like & and ?). Now only the closing quote is available.
I can see these quotes are in place with the old version of php-saml in SuiteCRM <= 7.8.1, like:
AssertionConsumerServiceURL="https://prod.xxx.nl/index.php?module=Users&action=Authenticate"
Expected Behavior
SAML-login should work and produce valid xml.
Actual Behavior
I get an "Error: Unhandled exception"-error from my SAML software (SimpleSAMLPHP).
The httpd-log shows the following:
Access-log: GET /index.php?action=Login&module=Users HTTP/1.1" 302 4376 "-" "-"
Error-log: PHP Warning: session_destroy(): Trying to destroy uninitialized session in /var/www/suite/test.xxx.nl/include/MVC/SugarApplication.php on line 164
Possible Fix
Steps to Reproduce
- Configure SAML2Authenticate with a proper SAML_X509Cert and SAML_loginurl
- Try to login
3.
4.
Context
Logging in with SAML2Authenticate is impossible, so this means using 7.8.1 or no SSO (LDAPAuthenticate).
Your Environment
- SuiteCRM Version used: 7.8.2
- Browser name and version (e.g. Chrome Version 51.0.2704.63 (64-bit)): Firefox 51 & 52 & Chrome
- Environment name and version (e.g. MySQL, PHP 7): PHP 5.6
- Operating System and version (e.g Ubuntu 16.04): Centos 7
ebogaard
All 9 comments
I can see another similar report in #3266
Also see the issue I've opened with php-saml: #201
ebogaard
on 13 Mar 2017
Hi @ebogaard We need to try and replicate this as our testing did pass hence why the patch was pulled in.
You are using SimpleSAMLPHP in your environment?
Any additional details you could provide?
samus-aran
on 17 Mar 2017
@samus-aran If you could configure SuiteCRM 7.8.2 SAML2Authenticate with a proper SAML_X509Cert and SAML_loginurl, and try to login thru GSuite (Google Apps / Google At Work)? This is the failing case for the user in issue #3266, possiibly also GSuite for @ebogaard.
chris001
on 17 Mar 2017
I'm using SimplaSAMLPHP v1.14.11 on Centos 7 + https 2.4 + php 5.6
SuiteCRM is on Centos 7 + httpd 2.4 + php 5.6.
But I don't think it's about the SAML IDP/SP-software, as the xml that has the inproperly quoted URL (which results in an unparseable xml) comes from SuiteCRM.
ebogaard
on 18 Mar 2017
I am also getting the same problem with version 7.8.3. (using Keycloak as IDP)
The problem is with both of the "&" characters. If I intercept the SAMLRequest, and change them to & then it works as expected
swamikevala
on 12 Apr 2017
According to SAML V2.0 specification, the AssertionConsumerServiceURL attribute has XSD type anyURI.
The type anyURI refers to URI definition in IETF RFC 2732 (now superseded by RFC 3986) and the URL must be encoded accordingly.
The easy solution to this bug is to remove the parameters from the return URL if possible. If not possible, intercept the return URL, decode the parameters, and continue on to that URL.
chris001
on 15 Apr 2017
This seems to fixed by: https://github.com/onelogin/php-saml/pull/218
Tested it and works for me.
ebogaard
on 18 May 2017
It seems the newest version of php-saml has this fix incorporated: https://github.com/onelogin/php-saml/tree/v2.10.7
@salesagility integrating the new version should be a quick fix for this issue.
ebogaard
on 14 Jun 2017
This issue has been solved a long time ago. Closing it.
ebogaard
on 13 Nov 2018
Related issues
jellydonuts
路
3Comments
project-banana
路
3Comments
connorshea
路
3Comments
tech-ch1
路
3Comments
dawansv
路
3Comments
Most helpful comment
This seems to fixed by: https://github.com/onelogin/php-saml/pull/218
Tested it and works for me.