Internal Server Error When Saving Service Provider and Identity Provider Config [shibboleth]

[sgurnick]

I am running Craft Pro 3.6.11.1 with SAML Service Provider plugin 2.6.6.

I am attempting to create the initial Service Provider and Identity Provider configurations. When I click the Save button for each, I get Internal Server error screens.

For the Service Provider config - steps to reproduce error:

1. Log-in to Craft as admin user.
2. Click-on SAML Service Provider item in the left-side navigation pane.
3. On the SAML Service Provider setup/getting started screen, click-on Create your metadata.
4. On the My Provider config page:
   • Under the Security tab: I updated the Label to describe our local environment and I selected an existing Key Pair, that I previously generated, from the drop-down menu.
   • Under the Configure tab, the Label field matches what I used in the prior tab.
   • Under the Metadata tab, the Label field matches what I used in the prior tab, and the Metadata XML box is empty.
   • The EntityID field on the right-side of the screen shows the expected server URL and the site drop-down shows the expected Craft site name.
5. I then click-on the red Save button in the top-right corner of the screen.
6. I am brought to a screen with a message in the center that says:

Internal Server Error
Server Error

7. The error thrown in the craft web.log file:

2021-03-29 08:36:25 [-][2][ub3a5e2uuaiupeigd1qn7jkvdn][error][yii\db\Exception] PDOException: SQLSTATE[22P02]: Invalid text representation: 7 ERROR:  invalid input syntax for type integer: "c35dd56d-c254-4143-836a-a4d62890f60f" in /var/www/craftcms/vendor/yiisoft/yii2/db/Command.php:1299
Stack trace:
#0 /var/www/craftcms/vendor/yiisoft/yii2/db/Command.php(1299): PDOStatement->execute()
#1 /var/www/craftcms/vendor/yiisoft/yii2/db/Command.php(1165): yii\db\Command->internalExecute('SELECT *\nFROM "...')
#2 /var/www/craftcms/vendor/yiisoft/yii2/db/Command.php(421): yii\db\Command->queryInternal('fetch', NULL)
#3 /var/www/craftcms/vendor/yiisoft/yii2/db/Query.php(287): yii\db\Command->queryOne()
#4 /var/www/craftcms/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yii\db\Query->one(NULL)
#5 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/services/AbstractProviderService.php(159): yii\db\ActiveQuery->one()
#6 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/services/AbstractProviderService.php(134): flipbox\saml\core\services\AbstractProviderService->linkToKey(Object(flipbox\saml\sp\records\ProviderRecord), Object(flipbox\keychain\records\KeyChainRecord))
#7 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/controllers/AbstractMetadataController.php(84): flipbox\saml\core\services\AbstractProviderService->save(Object(flipbox\saml\sp\records\ProviderRecord))
#8 [internal function]: flipbox\saml\core\controllers\AbstractMetadataController->actionAutoCreate()
#9 /var/www/craftcms/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#10 /var/www/craftcms/vendor/yiisoft/yii2/base/Controller.php(181): yii\base\InlineAction->runWithParams(Array)
#11 /var/www/craftcms/vendor/craftcms/cms/src/web/Controller.php(190): yii\base\Controller->runAction('auto-create', Array)
#12 /var/www/craftcms/vendor/yiisoft/yii2/base/Module.php(534): craft\web\Controller->runAction('auto-create', Array)
#13 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(274): yii\base\Module->runAction('saml-sp/metadat...', Array)
#14 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(577): craft\web\Application->runAction('saml-sp/metadat...', Array)
#15 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(253): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#16 /var/www/craftcms/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest(Object(craft\web\Request))
#17 /var/www/craftcms/web/index.php(22): yii\base\Application->run()
#18 {main}

Next yii\db\Exception: SQLSTATE[22P02]: Invalid text representation: 7 ERROR:  invalid input syntax for type integer: "c35dd56d-c254-4143-836a-a4d62890f60f"
The SQL being executed was: SELECT *
FROM "saml_provider_keychain_link"
WHERE ("providerId"=5) AND ("providerUid"='c35dd56d-c254-4143-836a-a4d62890f60f') in /var/www/craftcms/vendor/yiisoft/yii2/db/Schema.php:678
Stack trace:
#0 /var/www/craftcms/vendor/yiisoft/yii2/db/Command.php(1304): yii\db\Schema->convertException(Object(PDOException), 'SELECT *\nFROM "...')
#1 /var/www/craftcms/vendor/yiisoft/yii2/db/Command.php(1165): yii\db\Command->internalExecute('SELECT *\nFROM "...')
#2 /var/www/craftcms/vendor/yiisoft/yii2/db/Command.php(421): yii\db\Command->queryInternal('fetch', NULL)
#3 /var/www/craftcms/vendor/yiisoft/yii2/db/Query.php(287): yii\db\Command->queryOne()
#4 /var/www/craftcms/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yii\db\Query->one(NULL)
#5 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/services/AbstractProviderService.php(159): yii\db\ActiveQuery->one()
#6 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/services/AbstractProviderService.php(134): flipbox\saml\core\services\AbstractProviderService->linkToKey(Object(flipbox\saml\sp\records\ProviderRecord), Object(flipbox\keychain\records\KeyChainRecord))
#7 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/controllers/AbstractMetadataController.php(84): flipbox\saml\core\services\AbstractProviderService->save(Object(flipbox\saml\sp\records\ProviderRecord))
#8 [internal function]: flipbox\saml\core\controllers\AbstractMetadataController->actionAutoCreate()
#9 /var/www/craftcms/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#10 /var/www/craftcms/vendor/yiisoft/yii2/base/Controller.php(181): yii\base\InlineAction->runWithParams(Array)
#11 /var/www/craftcms/vendor/craftcms/cms/src/web/Controller.php(190): yii\base\Controller->runAction('auto-create', Array)
#12 /var/www/craftcms/vendor/yiisoft/yii2/base/Module.php(534): craft\web\Controller->runAction('auto-create', Array)
#13 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(274): yii\base\Module->runAction('saml-sp/metadat...', Array)
#14 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(577): craft\web\Application->runAction('saml-sp/metadat...', Array)
#15 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(253): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#16 /var/www/craftcms/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest(Object(craft\web\Request))
#17 /var/www/craftcms/web/index.php(22): yii\base\Application->run()
#18 {main}
Additional Information:
Array
(
    [0] => 22P02
    [1] => 7
    [2] => ERROR:  invalid input syntax for type integer: "c35dd56d-c254-4143-836a-a4d62890f60f"
)

2021-03-29 08:36:25 [-][2][ub3a5e2uuaiupeigd1qn7jkvdn][info][application] $_GET = [
    'p' => 'admin/saml-sp/metadata/my-provider'
]

8. Once I get to this error screen, I go back into the SAML SP plug-in using the URL https://test-craft.library.ucla.edu/admin/saml-sp/metadata.

9. On the SAML Service Provider screen, I see the entry for the SP I just saved, and it's in an enabled state. When I click-on it, I see all fields are still populated and the metadata XML has been generated.

10. I submit the XML to my IdP.

11. My IdP sends me its metadata to provide to use in the New Identity Provider config.

For the Identity Provider config - steps to reproduce error:

1. On the Setup screen I click-on Install the IDP's metadata.
2. On the New Identity Provider (IDP) screen:
   • Under the Security tab: I updated the Label to describe our local environment
   • Under the Configure tab: the Label field matches what I used in the prior tab. I put in place the appropriate attribute for the NameID override. I put in place the appropriate attribute mappings for First Name, Last Name, Email, and Username.
   • Under the Metadata tab: I paste the metadata from my IdP into the Metadata XML box.
   • The EntityID field on the right-side of the screen is empty, and there is no way to edit this field on this screen.
3. I then click-on the red Save button in the top-right corner of the screen.
4. I am brought to a screen with a message in the center that says:

Internal Server Error
Server Error

5. The error thrown in the craft web.log file:

2021-03-29 08:58:50 [-][2][ub3a5e2uuaiupeigd1qn7jkvdn][error][Exception] Exception: Missing required attribute entityID on EntityDescriptor. in /var/www/craftcms/vendor/simplesamlphp/saml2/src/SAML2/XML/md/EntityDescriptor.php:98
Stack trace:
#0 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/records/AbstractProvider.php(169): SAML2\XML\md\EntityDescriptor->__construct(Object(DOMElement))
#1 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/records/AbstractProvider.php(157): flipbox\saml\core\records\AbstractProvider->getMetadataModel()
#2 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/records/AbstractProvider.php(126): flipbox\saml\core\records\AbstractProvider->getEntityId()
#3 /var/www/craftcms/vendor/yiisoft/yii2/db/ActiveRecord.php(596): flipbox\saml\core\records\AbstractProvider->beforeSave(true)
#4 /var/www/craftcms/vendor/yiisoft/yii2/db/ActiveRecord.php(566): yii\db\ActiveRecord->insertInternal(NULL)
#5 /var/www/craftcms/vendor/yiisoft/yii2/db/BaseActiveRecord.php(678): yii\db\ActiveRecord->insert(true, NULL)
#6 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/services/AbstractProviderService.php(127): yii\db\BaseActiveRecord->save(true, NULL)
#7 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/controllers/AbstractMetadataController.php(114): flipbox\saml\core\services\AbstractProviderService->save(Object(flipbox\saml\sp\records\ProviderRecord))
#8 [internal function]: flipbox\saml\core\controllers\AbstractMetadataController->actionSave()
#9 /var/www/craftcms/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#10 /var/www/craftcms/vendor/yiisoft/yii2/base/Controller.php(181): yii\base\InlineAction->runWithParams(Array)
#11 /var/www/craftcms/vendor/craftcms/cms/src/web/Controller.php(190): yii\base\Controller->runAction('save', Array)
#12 /var/www/craftcms/vendor/yiisoft/yii2/base/Module.php(534): craft\web\Controller->runAction('save', Array)
#13 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(274): yii\base\Module->runAction('saml-sp/metadat...', Array)
#14 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(577): craft\web\Application->runAction('saml-sp/metadat...', Array)
#15 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(253): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#16 /var/www/craftcms/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest(Object(craft\web\Request))
#17 /var/www/craftcms/web/index.php(22): yii\base\Application->run()
#18 {main}
2021-03-29 08:58:50 [-][2][ub3a5e2uuaiupeigd1qn7jkvdn][info][application] $_GET = [
    'p' => 'admin/saml-sp/metadata/new-idp'
]

6. Once I get to this error screen, I go back into the SAML SP plug-in using the URL https://test-craft.library.ucla.edu/admin/saml-sp/metadata.

7. On the SAML Service Provider screen, there is no entry for the Identity Provider I just tried to save.

At this point my Service Provider config appears to be saved, but based on the error it's not clear if it is actually set-up correctly. And I'm unable to create an Identity Provider config.

I would appreciate assistance in determining next steps in troubleshooting.

Thank you for your help.

[dsmrt]

👋 @sgurnick ,

i think this is happening due to a bug in the core lib. A recent patch fixed this but it requires a reinstall of the plugin. Are you able to reinstall this?

To fix this, follow these steps:

1. Uninstall the plugin
2. Verify the saml sp tables are deleted
3. Update the core lib composer update flipboxfactory/saml-core
4. Reinstall the plugin

More on this patch here: flipboxfactory/saml-core@8656678

[dsmrt]

Let me know how this goes!

[sgurnick]

Thank you very much for these instructions. It looks like that resolved the issue with configuring the Service Provider side.

Since the SP metadata has changed following the plug-in re-install, I need to re-submit that to our IdP. Hearing back from them may take a day or two. When I receive confirmation they are using our new metadata, I'll try to configure the Identity Provider.

I'll keep you posted.

[sgurnick]

I received word from our IdP the new metadata is in place and I proceeded to configure the Identity Provider in the SAML SP plugin within craft. I followed the same steps as mentioned previously:

For the Identity Provider config:

1. On the Setup screen I click-on Install the IDP's metadata.
2. On the New Identity Provider (IDP) screen:
   • Under the Security tab: I updated the Label to describe our local environment
   • Under the Configure tab: the Label field matches what I used in the prior tab. I put in place the appropriate attribute for the NameID override. I put in place the appropriate attribute mappings for First Name, Last Name, Email, and Username.
   • Under the Metadata tab: I paste the metadata from my IdP into the Metadata XML box.
   • The EntityID field on the right-side of the screen is empty, and there is no way to edit this field on this screen.
3. I then click-on the red Save button in the top-right corner of the screen.
4. I am brought to a screen with a message in the center that says:

Internal Server Error
Server Error

5. The error thrown in the craft web.log file:

2021-03-30 11:17:42 [-][2][g9gu583g8dcfjh8vr3vqkv5os5][error][Exception] Exception: Missing required attribute entityID on EntityDescriptor. in /var/www/craftcms/vendor/simplesamlphp/saml2/src/SAML
2/XML/md/EntityDescriptor.php:98
Stack trace:
#0 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/records/AbstractProvider.php(169): SAML2\XML\md\EntityDescriptor->__construct(Object(DOMElement))
#1 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/records/AbstractProvider.php(157): flipbox\saml\core\records\AbstractProvider->getMetadataModel()
#2 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/records/AbstractProvider.php(126): flipbox\saml\core\records\AbstractProvider->getEntityId()
#3 /var/www/craftcms/vendor/yiisoft/yii2/db/ActiveRecord.php(596): flipbox\saml\core\records\AbstractProvider->beforeSave(true)
#4 /var/www/craftcms/vendor/yiisoft/yii2/db/ActiveRecord.php(566): yii\db\ActiveRecord->insertInternal(NULL)
#5 /var/www/craftcms/vendor/yiisoft/yii2/db/BaseActiveRecord.php(678): yii\db\ActiveRecord->insert(true, NULL)
#6 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/services/AbstractProviderService.php(127): yii\db\BaseActiveRecord->save(true, NULL)
#7 /var/www/craftcms/vendor/flipboxfactory/saml-core/src/controllers/AbstractMetadataController.php(114): flipbox\saml\core\services\AbstractProviderService->save(Object(flipbox\saml\sp\records\Pro
viderRecord))
#8 [internal function]: flipbox\saml\core\controllers\AbstractMetadataController->actionSave()
#9 /var/www/craftcms/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array)
#10 /var/www/craftcms/vendor/yiisoft/yii2/base/Controller.php(181): yii\base\InlineAction->runWithParams(Array)
#11 /var/www/craftcms/vendor/craftcms/cms/src/web/Controller.php(190): yii\base\Controller->runAction('save', Array)
#12 /var/www/craftcms/vendor/yiisoft/yii2/base/Module.php(534): craft\web\Controller->runAction('save', Array)
#13 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(274): yii\base\Module->runAction('saml-sp/metadat...', Array)
#14 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(577): craft\web\Application->runAction('saml-sp/metadat...', Array)
#15 /var/www/craftcms/vendor/craftcms/cms/src/web/Application.php(253): craft\web\Application->_processActionRequest(Object(craft\web\Request))
#16 /var/www/craftcms/vendor/yiisoft/yii2/base/Application.php(392): craft\web\Application->handleRequest(Object(craft\web\Request))
#17 /var/www/craftcms/web/index.php(22): yii\base\Application->run()
#18 {main}
2021-03-30 11:17:42 [-][2][g9gu583g8dcfjh8vr3vqkv5os5][info][application] $_GET = [
    'p' => 'admin/saml-sp/metadata/new-idp'
]

6. Once I get to this error screen, I go back into the SAML SP plug-in using the URL https://test-craft.library.ucla.edu/admin/saml-sp/metadata.

7. On the SAML Service Provider screen, there is no entry for the Identity Provider I just tried to save.

At this point, my Service Provider configuration is saved successfully, but I'm unable to save the Identity Provider configuration. It seems to not like the fact that there is no EntityID being sent along. But as I mentioned earlier, there doesn't appear to be a way to update the EntityID field when creating the Identity Provider config from within the web UI. Is there something else I should be doing?

Thanks again for your help.

[dsmrt]

Hello @sgurnick,

That is odd that the IdP metadata doesn’t have an entity id. Haven’t seen an IdP without one before. Would you mind sending me the metadata? You can contact me via damien at flipboxdigital.com. I definitely don’t want to share it here and expose any of that info publicly.

[sgurnick]

Hi @dsmrt,

I sent you an email on 2021-03-30 with the IdP metadata. Please let me know if you need anything else to assist me with troubleshooting. Thank you much!

[dsmrt]

Ok ... Just found it in spam! Responding now.

[dsmrt]

Found the issue. Looks like the EntitiesDescriptor is messing with the extraction of that metadata.

So that IdP metadata file looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    Name="urn:mace:shibboleth:testshib:two"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<md:EntityDescriptor
        entityID="https://<host>/idp/shibboleth" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
...
    </md:EntityDescriptor>

</EntitiesDescriptor>

but the plugin is looking for something more inline like this:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
        entityID="https://<host>/idp/shibboleth" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
...
    </md:EntityDescriptor>

When I manually edit the file and remove the EntitiesDescriptor node, it saves correctly. So you may want to try that to keep things moving.

I'm marking this as a bug but I'm not really sure how I'd handle it yet. I played around with trying to fix it quickly but I ran into some issues.

Notes for fixing
In this case, the xml node needs to be injected into a EntitiesDescriptor object, not the EntityDescriptor but it might even be better to extract the first EntityDescriptor, assuming it's the proper IdP metadata, and save that.

See ...
https://github.com/flipboxfactory/saml-core/blob/8656678cc92d0bdcd97c9045c84788913fcfda49/src/records/AbstractProvider.php#L168-L170

Might have to parse the XML and extract the EntityDescriptor node here:
https://github.com/flipboxfactory/saml-core/blob/8656678cc92d0bdcd97c9045c84788913fcfda49/src/controllers/AbstractMetadataController.php#L270

For example, this seems to work with this use case but needs to be tested more:

new EntityDescriptor(
                Utils::xpQuery(
            DOMDocumentFactory::fromString($metadataString)->documentElement
                    ,
                    './saml_metadata:EntityDescriptor'
                )[0]
        );