tuxtux59

tuxtux59

How to proper setup samly for PingFederate SP connection

Hello,

I’m quite new to SAML and Samly, so do not hesitate if I do not provide enough information.

I’m trying to setup properly my Samly (static config) to worked with a local self hosted PingFederate instance.
For now I can reach PingFederate form but after submit SAML Challenge come to my Elixir app, SAMLY throws an error:

access_denied {{:badmatch, []}, [{:xmerl_dsig, :verify, 2, [file: '/Users/xxxx/.../app-umbrella/deps/esaml/src/xmerl_dsig.erl', line: 197]},
{:esaml_sp, :"-validate_assertion/3-fun-2-", 2...

I understand that assertions validation failed and assume that is related to either config in PingFederate side or SAMLY’s.

Here is my local SAMLY static config for my IDP

%{
      id: local_idp_id,
      sp_id: local_sp_id,
      base_url: "#{base_url}/#{local_idp_id}/sso",
      metadata_file: "metadata-pingfederate-local.xml",
      pre_session_create_pipeline: AppWeb.PingoneSamlPipeline,
      allow_idp_initiated_flow: true,
      use_redirect_for_req: false,
      sign_requests: true,
      sign_metadata: true,
      signed_assertion_in_resp: true,
      signed_envelopes_in_resp: false,
      nameid_format: :transient
    }

the related SP is configured and already used by other IDPs.

My frictions points are on some settings set up on PingFederate admin tool.
Here are some one of them:

  1. What value for nameid_format? The assertion creation allows 3 choices: Standard, Pseudonym and Transient. I’m only aware of persistent and transient for SAMLY config so I chose transient
  • STANDARD: Send the SP a known attribute value as the name identifier. The SP will often use account mapping to identify the user locally.
  • TRANSIENT: Send the SP an opaque, temporary value as the name identifier.
  1. What boolean values for sign_requests and signed_assertion_in_resp, in fact in PingFederate we can choose following properties for Signature Policy: Require digitally signed AuthN requests , Always Sign Assertion. and Sign Response As Required , I’ve only checked Always Sign Assertion to match sign_requests and signed_assertion_in_resp .
  2. I’ve checked SP-Initiated SSO to match allow_idp_initiated_flow.

I’ve read :badmatch error upon verifying response from ADFS · Issue #42 · handnot2/samly · GitHub and Why I am getting this badmatch error when trying to connect to websocket but without matching the current problem.

I’m a bit lost to find the right way to fix my configuration, so I’m looking for cross config matching.

Thanks by advance.

First Post!

kokolegorille

kokolegorille

That has been quite challenging to make it work…

Mainly I have been using default config from samly doc, but the thing really important is to set the right entity_id in the service_providers section.

I am using transient for nameid_format.

Once done, I started to receive valid challenge.

It took also some time to configure https. I made some fake certifs, but it worked much better with the real one.

BTW I don’t know about PingFederate SP, but I made it work with Azure Federation Services.

Where Next?

Popular in Questions Top

chokchit
** (DBConnection.ConnectionError) connection not available and request was dropped from queue after 2733ms. You can configure how long re...
New
sergio
In Ruby, I can go: User.find_by(email: "foobar@email.com").update(email: "hello@email.com") How can I do something similar in Elixir? ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
985 42920 311
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
AstonJ
We’ve put together this wiki for Phoenix LiveView - please feel free to add any info you feel is worth including. What is Phoenix LiveV...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

We're in Beta

About us Mission Statement