Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Guidance on certificate

See original GitHub issue

I’ve been successful at running the samples and I’m trying to setup my own identity provider in node.js/express/express-saml2 and I’m testing it against a locally run instance of gitlab community. Trying naively, it almost works as from gitlab I can go to my identity provider, login and post the response. But then gitlab reply with:

Could not authenticate you from SAML because "Found an unexpected number of signature element. saml response rejected".

So most likely I’m doing something wrong but not sure what.

One thing that I could not find is a clear explanation of all the certificates and keys. It does not say what they are, how to generate them properly, if they are required. It would be nice to have a little bit of guidance here.

For example are the X509Certificate in the metadata_idp1.xml file related to the key we can find in key/idp?

Issue Analytics

State:
Created 6 years ago
Comments:15 (9 by maintainers)

Top GitHub Comments

1reaction

tngancommented, May 9, 2017

@manu-silicon Thank you so much for your valuable feedback.

The signing/encryption key can be generated using the following commands.

$ openssl genrsa -passout pass:foobar -out encryptKey.pem 4096
$ openssl req -new -x509 -key encryptKey.pem -out encryptionCert.cer -days 3650

If you are using 3rd party identity provider like OneLogin and Okta, the IdP metadata is allowed for you to download instead of creating manually. In this module, a helper function allows you to export the metadata after you have constructed the entity (See here).

For the above error, Could not authenticate you from SAML because "Found an unexpected number of signature element. saml response rejected".. It really depends on how Gitlab (SP) handles the response sent from the express-saml2’s IdP, it would be good if you can provide the SAML response as well.

I thought Gitlab is using omniauth-saml (https://about.gitlab.com/2016/03/30/feature-highlight-saml/), and this one relies on ruby-saml maintained by OneLogin, so the error could be thrown from the following lines of code.

https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb#L548-L550

I think the signature element might not be constructed well fit to the Gitlab’s context, are you using the default SAML response or using a customize template in express-saml2 ?

0reactions

tngancommented, May 13, 2017

@manu-silicon I have made some progress in it, hopefully it can be resolved soon. You can checkout here.