Hello,
I’m quite new to SAML and Samly, so do not hesitate if I do not provide enough information.
I’m trying to setup properly my Samly (static config) to worked with a local self hosted PingFederate instance.
For now I can reach PingFederate form but after submit SAML Challenge come to my Elixir app, SAMLY throws an error:
access_denied {{:badmatch, []}, [{:xmerl_dsig, :verify, 2, [file: '/Users/xxxx/.../app-umbrella/deps/esaml/src/xmerl_dsig.erl', line: 197]},
{:esaml_sp, :"-validate_assertion/3-fun-2-", 2...
I understand that assertions validation failed and assume that is related to either config in PingFederate side or SAMLY’s.
Here is my local SAMLY static config for my IDP
%{
id: local_idp_id,
sp_id: local_sp_id,
base_url: "#{base_url}/#{local_idp_id}/sso",
metadata_file: "metadata-pingfederate-local.xml",
pre_session_create_pipeline: AppWeb.PingoneSamlPipeline,
allow_idp_initiated_flow: true,
use_redirect_for_req: false,
sign_requests: true,
sign_metadata: true,
signed_assertion_in_resp: true,
signed_envelopes_in_resp: false,
nameid_format: :transient
}
the related SP is configured and already used by other IDPs.
My frictions points are on some settings set up on PingFederate admin tool.
Here are some one of them:
- What value for
nameid_format
? The assertion creation allows 3 choices: Standard, Pseudonym and Transient. I’m only aware ofpersistent
andtransient
for SAMLY config so I chosetransient
- STANDARD: Send the SP a known attribute value as the name identifier. The SP will often use account mapping to identify the user locally.
- TRANSIENT: Send the SP an opaque, temporary value as the name identifier.
- What boolean values for
sign_requests
andsigned_assertion_in_resp
, in fact in PingFederate we can choose following properties for Signature Policy:Require digitally signed AuthN requests
,Always Sign Assertion
. andSign Response As Required
, I’ve only checkedAlways Sign Assertion
to matchsign_requests
andsigned_assertion_in_resp
. - I’ve checked
SP-Initiated SSO
to matchallow_idp_initiated_flow
.
I’ve read :badmatch error upon verifying response from ADFS · Issue #42 · handnot2/samly · GitHub and Why I am getting this badmatch error when trying to connect to websocket but without matching the current problem.
I’m a bit lost to find the right way to fix my configuration, so I’m looking for cross config matching.
Thanks by advance.