Issue with Certificate key validation with simplesaml sp and Okta idp integration

[Jo-An]

Issue with Simplesaml Okta SSO integration

We have a setup where we use Simple saml as the service provider and Okta as th identity provider.
When we authenticate with this setup we can see that the authentication is successful in Okta and the saml response is valid.
When redirecting back to our application we however receive the error below.

Does anyone know how to fix this?
We tried the following:

• Add adtional attributes to the idp metadata
  • 'certificate' => 'okta.cert' and placed cert in the simsplesaml_root/cert/ folder.
• Add self signed cert to sp
  • $config['default-sp']['privatekey'] = 'saml.pem'; and
    $config['default-sp']['certificate'] = 'saml.crt'; and placed files in cert folder.

tracking id: 1a8882c231

error:

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 1 www/_include.php:17 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: Exception: Unable to extract public key Backtrace: 5 /var/www/devportal/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:381 (RobRichards\XMLSecLibs\XMLSecurityKey::loadKey) 4 modules/saml/lib/Message.php:226 (SimpleSAML\Module\saml\Message::checkSign) 3 modules/saml/lib/Message.php:646 (SimpleSAML\Module\saml\Message::processResponse) 2 modules/saml/www/sp/saml2-acs.php:141 (require) 1 lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process) 0 www/module.php:10 (N/A) remote idp metadata:

<?php $metadata['https://sso-idp-provider/identity'] = [ 'entityid' => 'https://sso-idp-provider/identity, 'contacts' => [], 'metadata-set' => 'saml20-idp-remote', 'SingleSignOnService' => [ [ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://XXXXXXXXX/XXXXXXXX, ], [ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://XXXXXXXXX/XXXXXXXX', ], ], 'SingleLogoutService' => [], 'ArtifactResolutionService' => [], 'NameIDFormats' => [ 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', ], 'keys' => [ [ 'encryption' => false, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ], ], 'certificate' => 'okta.cert', ];

Authsources setup

$config['default-sp']['entityID'] = 'https://my.entity.id'; $config['default-sp']['idp'] = 'https://sso-idp-provider/identity'; ' $config['default-sp']['RelayState'] = 'https://my.entity.id'; $config['default-sp']['privatekey'] = 'saml.pem'; $config['default-sp']['certificate'] = 'saml.crt';

[Peter Brand]

Jo-An <naom...@gmail.com> [2023-10-09 12:25 CEST]:
> - Add adtional attributes to the idp metadata
> - 'certificate' => 'okta.cert' and placed cert in the
> *simsplesaml_root/cert/* folder.

What you want to do is convert the SAML 2.0 Metadata (XML document)
you got (or can get) from the IDP into SimpleSAMLphp's internal format
(PHP code).
SSP provides a command line utility to do that, IIRC, and this is also
possible from the admin web UI, I think.

-peter

[Jo-An]

Hi Peter,

That was already done. The config I posted is the converted metadata.

Op maandag 9 oktober 2023 om 14:44:10 UTC+2 schreef Peter Brand:

[Peter Brand]

Jo-An <naom...@gmail.com> [2023-10-09 15:21 CEST]:

> That was already done. The config I posted is the converted metadata.

Sorry, I just looked at what you wrote above:

> > Jo-An <naom...@gmail.com> [2023-10-09 12:25 CEST]:
> > > - Add adtional attributes to the idp metadata
> > > - 'certificate' => 'okta.cert' and placed cert in the *simsplesaml_root/cert/* folder.

which wouldn't achieve anything, AFAIU: The SSP metadata would have
to have a different data structure for this (the 'keys' array).
But since you already seem to have that (with a X509Certificate key in
there) I don't have any explanation handy.

-peter