Just wanted to let people know about a CFML SSO demo app I put together for consumption of SAML response from identity providers. Currently, I have it working against okta. You can either run the app or use the code in the /saml folder to run in your own app.
Would be great if people can give it a spin and let me know if any issues. And if you want to contribute additional identity provider configurations, that would be even better!
Thanks to Giancarlo Gomez and his OneLogin code, on which this new demo app is based. Major changes include: no need to set up datasource (use JSON config files) and made more generic to allow for expansion to other identity providers.
I’m also getting errors in signature.cfc > buildSignature() on line
samlAssertionSignatureBlock.setIdAttributeNS(“”, “ID”, true);
Error is:
Java.Lang.Illegalaccessexception Error: Class Lucee.Runtime.Text.Xml.Struct.Xmlelementstruct Cannot Access Class Com.Sun.Org.Apache.Xerces.Internal.Dom.Elementimpl (In Module Java.Xml) Because Module Java.Xml Does Not Export Com.Sun.Org.Apache.Xerces.Internal.Dom To Unnamed Module @5Fcfca62 (Onerror Onrequest)
Sure thing!
It looks like our team’s running command box lucee-light@5.3.10.97 in docker image ortussolutions/commandbox:jre11-3.7.6
I’m using a development Okta account and their walkthrough for a base beginning test case. I have a working punch out and return back with valid information from Okta; only the signature verification part upon return is the issue at the moment. If I comment that out, I can get a clean return from buildPacket() just without any verification data.
Would you like me to submit this as an issue in the github repo for easier tracking?
Yes, that would be great. If you have a simple test case scenario that demonstrates the error, that would be helpful as well. It may be a OneLogin specific thing as I just tried with Okta and it seems to be working.
Has this ever been addressed or corrected? I’m making some headway in implementing your SAML library, and I have the index.cfm showing the “Login with Okta” button, which hits post.cfm, redirects to our Okta SAML. I log in, and when it redirects back, the consume.cfm that I have throws the following error:
lucee.runtime.exp.NativeException: class lucee.runtime.text.xml.struct.XMLElementStruct cannot access class com.sun.org.apache.xerces.internal.dom.ElementImpl (in module java.xml) because module java.xml does not export com.sun.org.apache.xerces.internal.dom to unnamed module @152623fa
in:
/WebProjects/SATTS/saml/signature.cfc: line 11
9: var samlAssertionBlock = objUtils.getSingleValue(samlResponse, “//*[local-name()=‘Assertion’ and namespace-uri()=‘urn:oasis:names:tc:SAML:2.0:assertion’]”)
10: // Need to set the ID attribute to use as reference as per java - SOAP XML WS-Security signature verification - Stack Overflow
11: samlAssertionBlock.setIdAttributeNS(“”, “ID”, true);
Depends on how you’re starting Lucee (e.g., are you using CommandBox). But that sounds about right - it’s an arg that is supplied along with JRE_HOME and JAVA_HOME
I found out that I had to add that to the JDK options in /opt/lucee/tomcat/bin/catalina.sh. I did that and restarted. Now when I sign in, I get the following error from Lucee:
Attribute [SIGNATURE] not found
on line 16 of signature.cfc:
var samlAssertionSignatureBlock = samlAssertionBlock.Signature[1];
I believe I have this fixed now. I found out that our Okta team was not sending the assertion signed, causing that error. I have SAML working now and I have a few users testing it. I did have to make some other CFM code updates to our code, but I was able to figure that part out pretty quick.