Forums | Mahara Community
Support
/
SAML suddenly stopped working
08 April 2020, 16:07
Hi,
We had a working Single-SignOn set up with SAML (via Okta) and a few days ago it mysteriously stopped working.
Server: RHEL7
Mahara: 19.04.4
We haven't changed the server (RHEL7), no SSL or certificate related packages seem to have been updated/patched from what I can see. The identity team here haven't changed anything at their end.
Now, when you click the SSO button, it immediately goes to a screen that simply says:
"A nonrecoverable error occurred. This probably means you have encountered a bug in the system"
so it's not even starting the process properly.
The errors are (excuse the width, I've tried every CSS trick I can think of but this editor strips them out):
[WAR] a2 (auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:499) openssl_sign(): supplied key param cannot be coerced into a private key, referer: (link removed) Call stack (most recent first):, referer:(link removed)
- log_message(string(size 71), integer, true, true, string(size 121), integer) at /srv/www/mahara/mahara-19.04.4/htdocs/lib/errors.php:520, referer:(link removed)
- error(integer, string(size 71), string(size 121), integer, array(size 3)) at Unknown:0, referer:(link removed)
- openssl_sign(string(size 733), null, false, string(size 6)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:499, referer:(link removed)
- RobRichards\\XMLSecLibs\\XMLSecurityKey->signOpenSSL(string(size 733)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:580, referer:(link removed)
- RobRichards\\XMLSecLibs\\XMLSecurityKey->signData(string(size 733)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:61, referer: (link removed)
- SAML2\\HTTPRedirect->getRedirectURL(object(SAML2\\AuthnRequest)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:84, referer: (link removed)
- SAML2\\HTTPRedirect->send(object(SAML2\\AuthnRequest)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:704, referer: (link removed)
- SimpleSAML\\Module\\saml\\Auth\\Source\\SP->sendSAML2AuthnRequest(array(size 17), object(SAML2\\HTTPRedirect), object(SAML2\\AuthnRequest)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:686, referer: (link removed)
- SimpleSAML\\Module\\saml\\Auth\\Source\\SP->startSSO2(object(SimpleSAML\\Configuration), array(size 17)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:728, referer: (link removed)
- SimpleSAML\\Module\\saml\\Auth\\Source\\SP->startSSO(string(size 40), array(size 14)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:826, referer: (link removed)
- SimpleSAML\\Module\\saml\\Auth\\Source\\SP->authenticate(array(size 14)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Source.php:208, referer: (link removed)
- SimpleSAML\\Auth\\Source->initLogin(string(size 50), null, array(size 2)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:167, referer: (link removed)
- SimpleSAML\\Auth\\Simple->login(array(size 2)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:109, referer: (link removed)
- SimpleSAML\\Auth\\Simple->requireAuth(array(size 1)) at /srv/www/mahara/mahara-19.04.4/htdocs/auth/saml/index.php:118, referer: (link removed) , referer: (link removed)
[WAR] a2 (lib/errors.php:535) [SimpleSAML\\Error\\UnserializableException]: Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256, referer: (link removed) Call stack (most recent first):, referer: (link removed)
- exception(object(SimpleSAML\\Error\\UnserializableException)) at Unknown:0, referer: (link removed) , referer: (link removed)
The relevant bits seem to be:
- openssl_sign(): supplied key param cannot be coerced into a private key
- Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256
Anybody seen this before? It looks like it can't find a key, but we haven't changed anything, and I'm not very familiar with the SAML process at this level.
08 April 2020, 20:34
We have experienced a similar error in the past on my local development server.
In our case, we changed the name of the site from 'Mahara' to something else and this is used as a password to create a private key and public certificate.
htdocs\auth\saml\lib.php line 438:
This should solve this issue. Please, let us know here how you go with this.
08 April 2020, 23:03
Hi Yaju,
Thank you for the quick response! We managed to track this down just a short time ago, and I was coming back here to update. We decided to roll back to the previous site name for now. Another possible workaround is to patch auth\saml\lib.php and hard-code the value for $privkeypass - not that patching core is a great idea.
In case you're interested, this has now been filed as a bug: Changing the display name of the site shouldn't break the SAML private key pass.
Cheers,
Marcus