tuxtux59

tuxtux59

How to proper setup samly for PingFederate SP connection

Hello,

I’m quite new to SAML and Samly, so do not hesitate if I do not provide enough information.

I’m trying to setup properly my Samly (static config) to worked with a local self hosted PingFederate instance.
For now I can reach PingFederate form but after submit SAML Challenge come to my Elixir app, SAMLY throws an error:

access_denied {{:badmatch, []}, [{:xmerl_dsig, :verify, 2, [file: '/Users/xxxx/.../app-umbrella/deps/esaml/src/xmerl_dsig.erl', line: 197]},
{:esaml_sp, :"-validate_assertion/3-fun-2-", 2...

I understand that assertions validation failed and assume that is related to either config in PingFederate side or SAMLY’s.

Here is my local SAMLY static config for my IDP

%{
      id: local_idp_id,
      sp_id: local_sp_id,
      base_url: "#{base_url}/#{local_idp_id}/sso",
      metadata_file: "metadata-pingfederate-local.xml",
      pre_session_create_pipeline: AppWeb.PingoneSamlPipeline,
      allow_idp_initiated_flow: true,
      use_redirect_for_req: false,
      sign_requests: true,
      sign_metadata: true,
      signed_assertion_in_resp: true,
      signed_envelopes_in_resp: false,
      nameid_format: :transient
    }

the related SP is configured and already used by other IDPs.

My frictions points are on some settings set up on PingFederate admin tool.
Here are some one of them:

  1. What value for nameid_format? The assertion creation allows 3 choices: Standard, Pseudonym and Transient. I’m only aware of persistent and transient for SAMLY config so I chose transient
  • STANDARD: Send the SP a known attribute value as the name identifier. The SP will often use account mapping to identify the user locally.
  • TRANSIENT: Send the SP an opaque, temporary value as the name identifier.
  1. What boolean values for sign_requests and signed_assertion_in_resp, in fact in PingFederate we can choose following properties for Signature Policy: Require digitally signed AuthN requests , Always Sign Assertion. and Sign Response As Required , I’ve only checked Always Sign Assertion to match sign_requests and signed_assertion_in_resp .
  2. I’ve checked SP-Initiated SSO to match allow_idp_initiated_flow.

I’ve read :badmatch error upon verifying response from ADFS · Issue #42 · handnot2/samly · GitHub and Why I am getting this badmatch error when trying to connect to websocket but without matching the current problem.

I’m a bit lost to find the right way to fix my configuration, so I’m looking for cross config matching.

Thanks by advance.

First Post!

kokolegorille

kokolegorille

That has been quite challenging to make it work…

Mainly I have been using default config from samly doc, but the thing really important is to set the right entity_id in the service_providers section.

I am using transient for nameid_format.

Once done, I started to receive valid challenge.

It took also some time to configure https. I made some fake certifs, but it worked much better with the real one.

BTW I don’t know about PingFederate SP, but I made it work with Azure Federation Services.

Where Next?

Popular in Questions Top

albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
fireproofsocks
I’m working on defining a simple Ecto schema for a table (in PostGres), but I don’t see where I can define a column as NOT NULL. Conside...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
dotdotdotPaul
Okay, I’m having a heck of a time trying to figure out how to best handle the validation of belongs_to associations in Ecto. I’m sure I’...
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New

Other popular topics Top

skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52673 488
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
Qqwy
Update: How to use the Blogs & Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 127089 1222
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 54120 245
New

We're in Beta

About us Mission Statement