SAML Error -201
(one of my junior engineers wrote this up and I offered to send it in - it seems this is happening more and more with our instance and I'm eager to understand if there is something that hasn't been discovered as a bug yet)
I am experiencing an issue with SAML. The issue arises only with some SPs and has been challenging to pin-point.
I am running a fairly standard implementation of LLNG (LDAP Authentication, SAML2 IDP and OIDC RP), version 2.0.14, with LaSSO v2.8.0. I also tested the error with different LaSSO versions. I have also tested with 2.6.1
, 2.6.1.3
, and 2.7.0
.
Note: in the following logs, I've fuzzed our domain and the SP name.
It looks like the service provider metadata is not being added correctly.
2022-04-12 07:16:50 | LLNG[21926]: [debug] Lasso error [ critical ]: 2022-04-12 07:16:50 (server.c/:76) Failed to add new provider.
2022-04-12 07:16:50 | LLNG[21926]: [error] Lasso error code -202: Failed to add new provider.
2022-04-12 07:16:50 | LLNG[21926]: [error] Fail to use SP organization.service.com Metadata
I've confirmed that the assertion/issuer matches the entityID from the SP metadata:
The decoded SAML
<AuthnRequest ID="samlrequest_64136f3769f542f6acdf64ddeb49ff7a" Version="2.0" IssueInstant="2022-04-12T17:56:04.3168995Z" AssertionConsumerServiceURL="https://organization.service.com/xxx/xx/auth/login/samlLogin.xxx" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin</Issuer>
</AuthnRequest>
The Request vvv
https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin
https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin
The Metadata ^^^
In the LLNG logs, I find:
2022-04-12 10:56:15 | LLNG[21926]: [debug] HTTP-REDIRECT: SAML Request SAMLRequest=jZE9b4MwEIb3Sv0PyDvYgIHYgkhRu0RKl6Tt0KUycCZIxqY%2bU%2fXnlyRq1bHbfeiVnueu3i3hbI%2fwsQCGaP%2fYEFST8bf%2bveRpXuq8KoUueKZL1fW65H0PLRdaV4pEr%2bBxdLYhWcJItEdcYG8xKBvWEcuymPE4zZ7TShalZDzJ03IjRPFGoh0i%2bLBmH5zFZQJ%2fAv85dvByPDTkHMKMklIEo3vAcbCJs2a0YEB5O9qh7ZLOTbTPDDUzVasENW4YLb3gHy5Vsu5I9DUZiw1ZvJVO4YjSqglQhk6edk8HuVLL2bvgOmfI9v4uiuqrg%2f9PUP0YkO0PL2szVpWaxZwVPOYir2KxUUXMNqkQ0GcaoEgC2PU%2bmLR%2bHM4BZ9XBVeYXvaY3iBWopn8ftP0G
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1492) lasso_node_impl_init_from_xml<AuthnRequest>
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1461) Matching node Issuer vs snippet Issuer: SUCCESS namespace URIs match
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:2577) Processing node 'Issuer' with type 'LassoSaml2NameID'
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1492) lasso_node_impl_init_from_xml <Issuer>
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1901) lasso_node_impl_init_from_xml </Issuer> rc=0
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1901) lasso_node_impl_init_from_xml </AuthnRequest> rc=0
2022-04-12 10:56:15 | LLNG[21926]: [error] Lasso error code -201: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
2022-04-12 10:56:15 | LLNG[21926]: [error] SSO: Fail to process authentication request
2022-04-12 10:56:15 | LLNG[21926]: [debug] Returned error: 51 (PE_SAML_SSO_ERROR)
2022-04-12 10:56:15 | LLNG[21926]: [debug] Skin returned: error
2022-04-12 10:56:15 | LLNG[21926]: [debug] Calling sendHtml with template error
The LaSSO documentation for error -201 suggests that the provider identifier is not being added as expected. LaSSO documentation
In your open issues, I found #2066. But our metadata does use the SPSSODescriptor rather than a IdP descriptor. Our SP is no using ADFS and WS-FED. So this is looking like a different, but perhaps related issue?
The error SSO: Fail to process authentication request appears here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm