Guidance on certificate
See original GitHub issueI’ve been successful at running the samples and I’m trying to setup my own identity provider in node.js/express/express-saml2 and I’m testing it against a locally run instance of gitlab community. Trying naively, it almost works as from gitlab I can go to my identity provider, login and post the response. But then gitlab reply with:
Could not authenticate you from SAML because "Found an unexpected number of signature element. saml response rejected".
So most likely I’m doing something wrong but not sure what.
One thing that I could not find is a clear explanation of all the certificates and keys. It does not say what they are, how to generate them properly, if they are required. It would be nice to have a little bit of guidance here.
For example are the X509Certificate in the metadata_idp1.xml file related to the key we can find in key/idp?
Issue Analytics
- State:
- Created 6 years ago
- Comments:15 (9 by maintainers)
Top GitHub Comments
@manu-silicon Thank you so much for your valuable feedback.
The signing/encryption key can be generated using the following commands.
If you are using 3rd party identity provider like OneLogin and Okta, the IdP metadata is allowed for you to download instead of creating manually. In this module, a helper function allows you to export the metadata after you have constructed the entity (See here).
For the above error,
Could not authenticate you from SAML because "Found an unexpected number of signature element. saml response rejected".
. It really depends on how Gitlab (SP) handles the response sent from the express-saml2’s IdP, it would be good if you can provide the SAML response as well.I thought Gitlab is using omniauth-saml (https://about.gitlab.com/2016/03/30/feature-highlight-saml/), and this one relies on ruby-saml maintained by OneLogin, so the error could be thrown from the following lines of code.
https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb#L548-L550
I think the signature element might not be constructed well fit to the Gitlab’s context, are you using the default SAML response or using a customize template in express-saml2 ?
@manu-silicon I have made some progress in it, hopefully it can be resolved soon. You can checkout here.