moodle-auth_saml2 icon indicating copy to clipboard operation
moodle-auth_saml2 copied to clipboard

Published 20 hours ago verified publisher icon catalyst

Okta Metadata read not parsing entityID

Open mcnutter1 opened this issue 4 years ago • 3 comments

Provided the public URL for the Okta metadata XML, the save changes says it reads it fine but doing a test gives this error.

Exception - Invalid configuration of the 'metadata.sources' configuration option: Missing required attribute entityID on EntityDescriptor.

mcnutter1 avatar Mar 02 '20 02:03 mcnutter1

hi @mcnutter1 I can't help you without the exact details. At face value it sounds like the idp metadata is not right but I have no idea without seeing it. We have plenty of clients using Okta thought so it's odd. If you would like commercial support please contact us https://www.catalyst-au.net/contact-us

brendanheywood avatar Mar 02 '20 12:03 brendanheywood

A little more detail, when I paste the metadata URL in to the configuration it says everything is OK but then complains it cant read the EntityID when trying to authenticate. When I try and paste the raw XML into the configuration it seems to prepend 'http' to the XML at random parts and complains it's not formatted properly.

Here is the Okta provided metadata url. https://thelynxgroup.okta.com/app/exk3096ykxvxdOuDy357/sso/saml/metadata

I think there is something wrong with how its parsing the XML, maybe in this version... I have colleagues using Okta and older versions of your SAML2 auth and configured exactly the same and it works.

Image attached of what happens when I paste the XML... I validated the XML with saml

mcnutter1 avatar Mar 02 '20 14:03 mcnutter1

Hmm ok so either url config or raw xml config should work. I vastly prefer the url method for multiple reasons, ie it's much easier and it supports automatic certificate rolling. When I visit this url I get a 404:

https://thelynxgroup.okta.com/app/exk3096ykxvxdOuDy357/sso/saml/metadata

The plugin tries to parse it as xml and then if it fails it tries to parse it at urls. So I think there is a bug in your xml so it fails, AND then there is a bug in the validation.

I've just pushed a patch which detects when things look like xml but may not be valid, and then it exposes the xml parsing error into the gui

image

Give that a whirl and see what happens. Note the error won't have line breaks in it because of an unrelated core bug (I've temp patched it in my local)

brendanheywood avatar Mar 03 '20 03:03 brendanheywood