It seems that when you initially install an ACSF site, if and only if the ACSF SSO module is enabled when the site is installed (i.e. as part of the install profile), ACSF will create all of the necessary connections to support SSO. If you instead enable ACSF SSO after the site is already installed, it fails to create these connections.
This will manifest as an error like this when you try to log in to a Drupal site via SSO from the ACSF web UI:
OneLogin_Saml2_Error encountered while processing SAML authentication response: SAML Response not found, Only supported HTTP_POST Binding
This is an incredibly hard problem to troubleshoot. It would be much more developer friendly if the ACSF SSO module could proactively warn (via the status report or status message) that the necessary bindings don't exist.
Edit: there may be some confounding factors here, because several folks (myself included) have verified that at least in some cases, you can simply enable the acsf_sso module after creating a site and the configuration will be correctly populated. Perhaps there was a problem related to configuration management, i.e. an empty samlauth.settings was created (as opposed to _no_ samlauth.settings), and this prevent it from being correctly populated.
Comment | File | Size | Author |
---|---|---|---|
#10 | 2903270-acsfsso-install-warning-5.patch | 1.25 KB | robertshell22 |
#9 | 2903270-acsfsso-install-warning-4.patch | 1.56 KB | robertshell22 |
#3 | 2903270-acsfsso-install-warning-3.patch | 1.61 KB | japerry |
Comments
Comment #2
Dane Powell CreditAttribution: Dane Powell at Acquia commentedComment #3
japerryWhen trying to install locally, ACSF will cause the installer to fail. This patch moves the ACSF error to be a warning, and does a check on the creds file before trying to set config.
Comment #4
nagba CreditAttribution: nagba commentedOpened a DG ticket for this issue.
Comment #5
Dane Powell CreditAttribution: Dane Powell at Acquia commentedIt appears that another workaround for this is to define a config split that installs ACSF remotely, and apply the Drupal core patch to install sites from existing config. This will cause the ACSF module to be properly enabled at install time and avoid the error.
Also it might be that you don't need the ACSF SSO module enabled at install time, but just the base ACSF connector.
Comment #6
Dane Powell CreditAttribution: Dane Powell at Acquia commented@japerry that seems like a useful patch but it doesn't look like it's going to solve this problem, maybe it should be a separate issue? (e.g. "Can't enable ACSF on local sites")
Comment #7
Dane Powell CreditAttribution: Dane Powell at Acquia commentedComment #8
kevinquillen CreditAttribution: kevinquillen commentedThis issue is still present in the 2.6 version of the module.
I've resorted to having a factory hook on the site creation process to uninstall and then enable acsf_sso module to try and mitigate this. It does not have an effect. Enabling acsf_sso is part of the install profile, which is not working upon site creation either (SSO just says access denied).
The only two things that seem to work on a newly created site:
Comment #9
robertshell22 CreditAttribution: robertshell22 commentedIncorrect patch file
Comment #10
robertshell22 CreditAttribution: robertshell22 at Clarity Partners commentedRe-rolled #3 for the 8.x-2.69 version.