Obscure errors if ACSF SSO is not enabled at install time [#2903270]

It seems that when you initially install an ACSF site, if and only if the ACSF SSO module is enabled when the site is installed (i.e. as part of the install profile), ACSF will create all of the necessary connections to support SSO. If you instead enable ACSF SSO after the site is already installed, it fails to create these connections.

This will manifest as an error like this when you try to log in to a Drupal site via SSO from the ACSF web UI:

OneLogin_Saml2_Error encountered while processing SAML authentication response: SAML Response not found, Only supported HTTP_POST Binding

This is an incredibly hard problem to troubleshoot. It would be much more developer friendly if the ACSF SSO module could proactively warn (via the status report or status message) that the necessary bindings don't exist.

Edit: there may be some confounding factors here, because several folks (myself included) have verified that at least in some cases, you can simply enable the acsf_sso module after creating a site and the configuration will be correctly populated. Perhaps there was a problem related to configuration management, i.e. an empty samlauth.settings was created (as opposed to _no_ samlauth.settings), and this prevent it from being correctly populated.

Comment	File	Size	Author
#10	2903270-acsfsso-install-warning-5.patch	1.25 KB	robertshell22
#9	2903270-acsfsso-install-warning-4.patch	1.56 KB	robertshell22
#3	2903270-acsfsso-install-warning-3.patch	1.61 KB	japerry

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

18 August 2017 at 21:14

Dane Powell created an issue. See original summary.

Comment #2

Dane Powell CreditAttribution: Dane Powell at Acquia commented 18 August 2017 at 21:14

Title:

Obscure errors is ACSF SSO is not enabled at install time

» Obscure errors if ACSF SSO is not enabled at install time

Comment #3

japerry

KVUO

CreditAttribution: japerry at Acquia commented 23 August 2017 at 19:30

Status:

Active

» Needs review

File	Size
2903270-acsfsso-install-warning-3.patch	1.61 KB

When trying to install locally, ACSF will cause the installer to fail. This patch moves the ACSF error to be a warning, and does a check on the creds file before trying to set config.

Comment #4

nagba CreditAttribution: nagba commented 7 September 2017 at 15:41

Opened a DG ticket for this issue.

Comment #5

Dane Powell CreditAttribution: Dane Powell at Acquia commented 21 October 2017 at 20:33

It appears that another workaround for this is to define a config split that installs ACSF remotely, and apply the Drupal core patch to install sites from existing config. This will cause the ACSF module to be properly enabled at install time and avoid the error.

Also it might be that you don't need the ACSF SSO module enabled at install time, but just the base ACSF connector.

Comment #6

Dane Powell CreditAttribution: Dane Powell at Acquia commented 21 October 2017 at 20:34

Status:

Needs review

» Needs work

@japerry that seems like a useful patch but it doesn't look like it's going to solve this problem, maybe it should be a separate issue? (e.g. "Can't enable ACSF on local sites")

Comment #7

Dane Powell CreditAttribution: Dane Powell at Acquia commented 23 July 2018 at 21:18

Issue summary:

View changes

Comment #8

kevinquillen CreditAttribution: kevinquillen commented 19 August 2020 at 14:25

Version:

8.x-1.38

» 8.x-2.66

This issue is still present in the 2.6 version of the module.

I've resorted to having a factory hook on the site creation process to uninstall and then enable acsf_sso module to try and mitigate this. It does not have an effect. Enabling acsf_sso is part of the install profile, which is not working upon site creation either (SSO just says access denied).

The only two things that seem to work on a newly created site:

Click Log In, see "Access Denied" on site, go back to Site Factory, click Log In again, and it works
Uninstall and reinstall acsf_sso a handful of times, eventually the settings "take" and it works.