keycloak metadata not recognised by Lightsaml #5
Description
Going on with my configuration (#4 ), I wanted to find a way to use your test.sh script.
I discovered that the Idp_metadata.xml file from my keycloak was considered malformed by LightSaml.
From Keycloak, the 3 first lines (line 2 & 3 are the problem) are:
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<EntityDescriptor entityID="https://my.keycloak/auth/realms/test_saml">
The error was in the file "vendor/lightsaml/lightsaml/src/LightSaml/Model/Metadata/EntityDescriptor.php" at line 66:
$ed->deserialize($context->getDocument(), $context);
with the msg:
Expected 'EntityDescriptor' xml node and 'urn:oasis:names:tc:SAML:2.0:metadata' namespace but got node 'EntitiesDescriptor' and namespace 'urn:oasis:names:tc:SAML:2.0:metadata
I modified manually my idp_metadata.xml file to have the 3 first line into 2 lines like this:
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor Name="urn:keycloak" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" entityID="https://my.keycloak/auth/realms/test_saml">
And now it's working.
It seems Keycloak accept to have several EntityDescriptor under the parent node EntitiesDescriptor but LightSaml only accept 1 entity.
Is the problem in the metadata from Keycloak or from the LightSaml library?
Thanks
Maybe that will interest other people, so this what I did to make it work.
I had to modify the test.sh script and the pam-script-saml.php file.
- in test.env:
ITERATIONS=3
IDP_METADATA=/etc/sogo/idp-metadata.xml
TRUSTED_SP=https://my.sogo.host/SOGo/saml2-metadata
- In test.sh, I had to comment out the exit command that test the existence of params (line 15):
# exit 2
And also I had to change the way it put the idp metadata into the temporary file (line 19):
IDP_METADATA_FILE=$(mktemp)
IDP_METADATA_CONTENT=`cat $IDP_METADATA`
echo "$IDP_METADATA_CONTENT" | tr -d '\r' > "${IDP_METADATA_FILE}"
- in pam-script-saml.php, I added this after "include 'vendor/autoload.php';"
$_SERVER['PAM_TYPE']='auth';
$_SERVER['PAM_USER']='[email protected]';
$_SERVER['PAM_RHOST']='127.0.0.1';
$_SERVER['PAM_AUTHTOK']="<the saml_response token send by keycloak / very long (> 9000 chars for me)>"
Concerning the PAM_AUTHTOK param, after having base64_decoded, the code try to gzuncompress it, but the response_token I'm using is not compress after being decoded. So I changed the line
$xml = @gzuncompress($xmlSrc);
to
$xml = $xmlSrc;
I'm not sure I understand the uncompress part as what I put in var PAM_AUTHTOK is the exact value of the saml_response param that is used in the request to Sogo.
And that was it.