tuxtux59
How to proper setup samly for PingFederate SP connection
Hello,
I’m quite new to SAML and Samly, so do not hesitate if I do not provide enough information.
I’m trying to setup properly my Samly (static config) to worked with a local self hosted PingFederate instance.
For now I can reach PingFederate form but after submit SAML Challenge come to my Elixir app, SAMLY throws an error:
access_denied {{:badmatch, []}, [{:xmerl_dsig, :verify, 2, [file: '/Users/xxxx/.../app-umbrella/deps/esaml/src/xmerl_dsig.erl', line: 197]},
{:esaml_sp, :"-validate_assertion/3-fun-2-", 2...
I understand that assertions validation failed and assume that is related to either config in PingFederate side or SAMLY’s.
Here is my local SAMLY static config for my IDP
%{
id: local_idp_id,
sp_id: local_sp_id,
base_url: "#{base_url}/#{local_idp_id}/sso",
metadata_file: "metadata-pingfederate-local.xml",
pre_session_create_pipeline: AppWeb.PingoneSamlPipeline,
allow_idp_initiated_flow: true,
use_redirect_for_req: false,
sign_requests: true,
sign_metadata: true,
signed_assertion_in_resp: true,
signed_envelopes_in_resp: false,
nameid_format: :transient
}
the related SP is configured and already used by other IDPs.
My frictions points are on some settings set up on PingFederate admin tool.
Here are some one of them:
- What value for
nameid_format? The assertion creation allows 3 choices: Standard, Pseudonym and Transient. I’m only aware ofpersistentandtransientfor SAMLY config so I chosetransient
- STANDARD: Send the SP a known attribute value as the name identifier. The SP will often use account mapping to identify the user locally.
- TRANSIENT: Send the SP an opaque, temporary value as the name identifier.
- What boolean values for
sign_requestsandsigned_assertion_in_resp, in fact in PingFederate we can choose following properties for Signature Policy:Require digitally signed AuthN requests,Always Sign Assertion. andSign Response As Required, I’ve only checkedAlways Sign Assertionto matchsign_requestsandsigned_assertion_in_resp. - I’ve checked
SP-Initiated SSOto matchallow_idp_initiated_flow.
I’ve read :badmatch error upon verifying response from ADFS · Issue #42 · handnot2/samly · GitHub and Why I am getting this badmatch error when trying to connect to websocket but without matching the current problem.
I’m a bit lost to find the right way to fix my configuration, so I’m looking for cross config matching.
Thanks by advance.
First Post!
kokolegorille
That has been quite challenging to make it work…
Mainly I have been using default config from samly doc, but the thing really important is to set the right entity_id in the service_providers section.
I am using transient for nameid_format.
Once done, I started to receive valid challenge.
It took also some time to configure https. I made some fake certifs, but it worked much better with the real one.
BTW I don’t know about PingFederate SP, but I made it work with Azure Federation Services.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








