EC SAML Troubleshooting.md

EC SAML Troubleshooting

How the SAML Login Process Works (Advancing to the Next Step When the User Is Not Found):

1. Initially, it seeks a user mapping in the EcSamlIdentityProviderUser table using the SAML Unique ID.
2. If username linking is enabled, it searches for a user associated with the SAML username attribute.
3. If email linking is enabled, it attempts to locate a user based on the SAML email attribute.
4. If no match is found, it proceeds to create a new user entry in the Users table and establishes a mapping in the EcSamlIdentityProviderUser table.

Error

Invalid array settings: sp_certs_not_found_and_required

Possible Reason

There are some cases when the key pair generations are failed during the package installation.

Please check if you have the file application/config/generated_overrides/ec_saml/pkey.php with the following contents. If not, please follow any one of the following.

return [
    'public' => '************',
    'private' => '************',
];

Solution

Way 1

Please try uploading the attached PHP script (generate-ec-saml-key-pair.php) to the server and running with the following command.

cd /to/your/webroot
sudo -u USER ./concrete/bin/concrete c5:exec /path/to/the/script/generate-ec-saml-key-pair.php // Replace User with your server user (e.g. - apache, nginx)

Please remove the script from the server after generating the key pair.

Way 2

• Add the following script to your application/bootstrap/app.php

use Concrete\Package\EcSaml\Src\Saml\KeyManager;

Route::register('/generate-ec-saml-key-pair', function (){
    if (!extension_loaded('openssl')) {
        throw new \RuntimeException(t('Installation requires the PHP OpenSSL extension.'));
    }

    $pkg = \Concrete\Core\Package\Package::getByHandle('ec_saml');
    if ($pkg && $pkg->isPackageInstalled()) {
        $config = $pkg->getController()->getFileConfig();
        if (!$config->has('pkey.private') || !$config->has('pkey.public')) {
            try {
                $keyManager = KeyManager::generateKeyPair();
                $keyManager->save($config);
                echo 'Key pair generated' . PHP_EOL;
            } catch (Exception $e) {
                throw new \RuntimeException(t('Unable to generate key pair: %s', $e->getMessage()));
            }
        } else {
            echo 'Key pair already exists' . PHP_EOL;
        }
    } else {
        throw new \RuntimeException(t('Package is not installed.'));
    }
});

• Visit https://YOUR_SITE.com/generate-ec-saml-key-pair
• Remove the code block after generating the key pair.

generate-ec-saml-key-pair.php

<?php

use Concrete\Package\EcSaml\Src\Saml\KeyManager;

defined('C5_EXECUTE') or die('Access Denied.');
/**
 * @author: Biplob Hossain <biplob.ice@gmail.com>
 */

if (!extension_loaded('openssl')) {
    throw new \RuntimeException(t('Installation requires the PHP OpenSSL extension.'));
}

$pkg = \Concrete\Core\Package\Package::getByHandle('ec_saml');
if ($pkg && $pkg->isPackageInstalled()) {
    $config = $pkg->getController()->getFileConfig();
    if (!$config->has('pkey.private') || !$config->has('pkey.public')) {
        try {
            $keyManager = KeyManager::generateKeyPair();
            $keyManager->save($config);
            echo 'Key pair generated' . PHP_EOL;
        } catch (Exception $e) {
            throw new \RuntimeException(t('Unable to generate key pair: %s', $e->getMessage()));
        }
    } else {
        echo 'Key pair already exists' . PHP_EOL;
    }
} else {
    throw new \RuntimeException(t('Package is not installed.'));
}

To debug the callback response add the following code.
Please make sure to remove this after debugging.

// packages/ec_saml/src/Saml/Saml2Auth.php: 49
dd($auth->getAttributes(), $auth->getErrors(), $auth->getLastErrorReason(), $auth->getLastErrorException());