Friday, 25 June 2021

Firebase SAML integration server error on IdP side

I'm trying to connect my Firebase app as a Service Provider to an Identity Provider using Google Cloud Identity platform.

I was able to do it for another IdP (Jump-Cloud) using this excellent tutorial

For some reason it doesn't work with the IdP that I actually need to integrate with and being out of my depth here I don't really understand what the problem is.

I've set up everything in Google Cloud to match the IdP (Kennisnet) config

Cloud config

The other party, Kennisnet, needs metadata that Jump-Cloud did not need. I don't see any way to get that from Google Cloud so I used an online tool to create the following

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2021-06-11T09:31:00Z"
                     cacheDuration="PT604800S"
                     entityID="https://ffleren-dev.web.app/">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://ffleren-dev.firebaseapp.com/__/auth/handler"
                                     index="1" />
    </md:SPSSODescriptor>
</md:EntityDescriptor>

This is about as much as I can configure on my end afaik but the integration throws an error on their end (error 500 without any details). I've asked for their logs and they were kind enough to send them.

Jun 17 08:52:48 federatie-stg-auth01 hub ERROR: com.alfaariss.oa.authentication.remote.saml2.profile.re.ResponseEndpoint The binding is not supported by this protocol: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
Jun 17 08:52:48 federatie-stg-auth01 hub ERROR: com.alfaariss.oa.OAServlet Could not process request

So my question now:
Can anyone make heads or tails from this error? Is there a mismatch between the metadata that I generated and how Firebase handles SAML? I've tried to change HTTP-POST to HTTP-Redirect in the binding but it apparently yields the same result. Maybe something else entirely?

I'm using AngularFire signInWithPopup on the client (same result with Firebase.auth itself).

const provider = new auth.SAMLAuthProvider('saml.kennisnet-staging');
return this.afAuth
  .signInWithPopup(provider)
  .catch((e) => console.error(e.message));

Link to see the issue: https://ffleren-dev.web.app/login



from Firebase SAML integration server error on IdP side
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)