Forums | Mahara Community

Support /
SAML Plugin Errors


Ben Faulkner's profile picture
Posts: 9

06 May 2021, 2:42

Hello everyone,

We've recently installed and configured Mahara 20.10.0, everything on the site appears to be working perfectly, however, I'm getting a few errors when browsing to the SAML configuration page.


Environment as follows:

Windows server 2019
IIS
MySQL 8.0.23
PHP 7.4.16 with all required extensions
OpenSSL

 

When visiting the config page for SAML under 'Plugin Configuration' I'm getting the following errors, they appear to relate to certificate issues, a certificate has already been automatically generated under 'Networking' so it appears that OpenSSL is functioning correctly, does SAML try to generate certificates in a different way or do I need to upload a certificate somewhere before attempting to configure SAML?

[WAR] 98 (auth\saml\lib.php:641) openssl_csr_sign(): cannot get CSR from parameter 1

[WAR] 98 (auth\saml\lib.php:642) openssl_x509_export(): cannot get cert from parameter 1

[WAR] 98 (auth\saml\lib.php:643) openssl_pkey_export(): cannot get key from parameter 1

[WAR] 98 (lib\errors.php:530) [Exception]: Could not generate or save the private key at D:\Webfiles\maharatest.domainname.ac.uk\auth\saml\lib.php:648

 

I removed our actual domain name in the final error.

Any advice, help or musings will be gratefully received.

Many thanks,

Ben

Ben Faulkner's profile picture
Posts: 9

18 May 2021, 21:05

Hello everyone,

 

We're still struggling with this issue, is anyone able to offer any advice or support?

I've attached some screenshots of the errors and blanked out our site name, hope this helps?

 

Many thanks,

Ben

  • samlerrors1.JPG
  • samlerrors2.JPG
Robert Lyon's profile picture
Posts: 774

19 May 2021, 8:55

Hi Ben,

Looking at the errors you posted I notice the line

openssl_csr_sign()  has 'false' as first parameter and so I'm thinking the line before that

$csr     = openssl_csr_new($dn, $privkey);

is also failing so I'm thinking there is something up with the private key.

There was a recent change that separated the private signing key from being connected to the site name and instead being a config value for the auth saml plugin - this way if a site changed it's name it wouldn't break the saml auth.

But if a site was upgraded from certain older points the new auth_config values were not set.

Can you check something for me - can you look in the auth_config table in your database and see if there are rows where field = keypass  and field = newkeypass

And if not can you add them with the following lines (assuming the name of your site didn't change since the certificate was made)

INSERT INTO auth_config SELECT 'saml', 'keypass', value FROM config WHERE field ='sitename' ;

INSERT INTO auth_config SELECT 'saml', 'newkeypass', value FROM config WHERE field ='sitename' ;

Hopefully that is the problem you are having

Cheers

Robert

Ben Faulkner's profile picture
Posts: 9

19 May 2021, 21:49

Hi Robert,

 

Thank you for taking a look at the issue, very much appreciated.

 

One thing I think I forgot to mention in my previous posts is that our site is a clean, new install so hopefully that rules out an upgrade not setting the required values in the DB.

Our site is still named 'Mahara', I've checked the auth_congif table in the DB, it had the following values:

saml  keypass  Mahara

saml  version  1.18.7

 

For good measure I added the following as suggested but still no joy:

saml newkeypass Mahara

 

You mention there might be something up with the private key, is this the private key that accompanies the certificate generated under the 'Networking' settings or is it a separate private key, is there a way to clear the private key and regenerate to see if that clears the issue?

 

Many thanks,

 

Ben

Robert Lyon's profile picture
Posts: 774

20 May 2021, 12:54

Hi Ben

Confusingly it is not the Network one (found under admin/site/networking.php)
but is the SAML certificate one (found under admin/extensions/pluginconfig.php?plugintype=auth&pluginname=saml)

This certificate sits as a file within the dataroot's 'certificate' subdirectory in case you want to inspect it with command line tools

You can generate a new public key using the button on that page and then tell the Identity Provider your new metadata as seen by clicking the 'View metadata' link

Cheers
Robert

Ben Faulkner's profile picture
Posts: 9

20 May 2021, 20:25

Hi Robert,

 

It appears we're in a bit of a catch-22 situation ...

We can't access the SAML plugin page due to the aforementioned errors and the 'certificate' folder under the dataroot is empty.

 

Is there anything else we can try?

Many thanks,

Ben

Kristina Hoeppner's profile picture
Posts: 4866

31 May 2021, 21:24

Hi Ben,

You mentioned that you are running Mahara on a Windows server. That is not officially supported by the Mahara team. Before you can use SAML, you would need to install all dependencies. This can be done by running the 'make' command as shown in an error on the SAML plugin page when the setup hasn't been done yet. But I don't know if you can run that command on Windows and pull in all necessary third party code.

If there is a possibility for you to run Mahara on an Ubuntu or Debian server, we'd be more easily able to assist.

Cheers

Kristina

Ben Faulkner's profile picture
Posts: 9

09 June 2021, 22:54

Hi Kristina,

Thank you for your response, it's a shame we can't get this function working when hosting on Windows server, it appears to be the only aspect of Mahara that doesn't work for us, everything else is working a treat, our TEL team has been busily creating some great looking content in Mahara to demonstrate its capabilities to our teaching staff.

Being a Microsoft house we're not overly familiar with Linux, whilst we could probably get Mahara running on Linux my concern would be the ongoing support and integration moving forward, managing, maintaining, troubleshooting, backing up etc ... in short, there's a skills gap that presents a significant risk if we were to use Mahara hosted on Linux in a production environment.

That said, we're not adverse to giving things a whirl, I just attempted to spin up a PoC using Ubuntu server but unfortunately I fell at the first hurdle when trying to get the prerequisites installed, possibly due to the documentation being out of date.

In the 'How to Install Mahara in Ubuntu' guide, the first command under 'Install Required Packages' gives the following errors.

E: Package 'php5' has no installation candidate
E: Package 'postgresql-9.1' has no installation candidate
E: Unable to locate package php5-gd
E: Package 'php5-pgsql' has no installation candidate
E: Unable to locate package php5-xmlrpc
E: Package 'php5-curl' has no installation candidate
E: Unable to locate package php5-mbstring

Is there an up-to-date version of the 'How to Install Mahara in Ubuntu' guide? We're using Ubuntu 21.04 whereas the guide references Ubuntu 11.10.

https://wiki.mahara.org/wiki/System_Administrator%27s_Guide/Installing_Mahara/How_to_install_Mahara_in_Ubuntu

Many thanks,

Ben

Robert Lyon's profile picture
Posts: 774

10 June 2021, 7:52

Hi Ben,

That page looks to be out of date.

More current and in depth installation instructions can be found at https://wiki.mahara.org/wiki/Developer_Area/Developer_Environment

Cheers

Robert

Kristina Hoeppner's profile picture
Posts: 4866

23 June 2021, 14:21

Hi Ben,

Thank you for the explanation. We did have installations in the community that were running on Windows, but unfortunately, we from the Mahara core team can't support those. It's the reverse skill gap for us. ;-) We only work with Linux servers and no others, with a preference given to Ubuntu and Debian as they are fully open source.

Having said that, hopefully, PHP 7.4 will be more of your friend on Ubuntu. Thank you for having pointed out the out of date wiki page. It's on our ToDo list to fix and maybe even make a bit more generic in order to prevent it from going out of date so easily as we do mention the supported versions of PHP and PostgreSQL etc. in the Readme file for each version of Mahara.

As for the error on Windows, could that be a general OpenSSL configuration error where there might be a solution from someone online using OpenSSL with Windows?

Thank you

Kristina

 

13 results