I've been struggling for several days to get SAML2 authentication to work between Matrix (Synapse) and Shibboleth.
The problem seems to be at the xmlsec1 level which is called by pysaml2, when the IDP response is received.
Here's the error I get :
2023-11-22 14:30:26,742 - synapse.handlers.saml - 120 - INFO - GET-0 - Initiating a new SAML session: id-6i5N7jiDt5GSBPIPJ
2023-11-22 14:30:26,742 - synapse.rest.client.login - 662 - INFO - GET-0 - Redirecting to https://[MY-IDP]/profile/SAML2/Redirect/SSO?SAMLRequest=nZLPTuMwEMZfxfKlF1K3KX8kq61UqBaKoERN2QOrFTLJlA5KJsEzqcoj8Ry8GE5hF%2FbSwx5n%2FH3275vxkLhnJ42saQHPDbCobVkQ29Ae6caTrRxjKF0JbCWz6eT6ysbdnq19JVVWFfqvob%2Ff4JjBC1ak1Ww60phHx3g0P3nCqRydp6fJLLnU6id4DpKRDo6gY25gRiyOJLR68SDq96M4XvYHdtCz8fGdVtPAjORk51qL1GyNwbw%2B7DaEmQPqrnxbmwC8wgJMCxSbBeToIROTpjdaJZ9hTpFypMf9QR4%2BRGwvlsskSm7SpVaTP%2BHOKuKmBJ%2BC32AGt4urL6rSicdtxGt8%2BA53zy%2FkagaTFQgkhl1ZxMa1O7n3wHW4EXaIG8zBzwPPSP%2FqXAOzewSPoPBjQo7eXkHdEm7aIcrbq8pBnYVH1LzypQvQ0DlQnZXv%2FNbjYdiX3c3Xqx%2FtsewP3XbCylY7qQ2YKC96%2FF%2FJShCXO3Hd8HGG5otj3Bb%2FfsbxOw%3D%3D&RelayState=https%3A%2F%2F[MY-MATRIX]%2Fclient%2F
2023-11-22 14:30:26,742 - synapse.access.http.8008 - 465 - INFO - GET-0 - (null) - 8008 - {None} Processed request: 0.001sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 0B 302 "GET /_matrix/client/v3/login/sso/redirect/saml?redirectUrl=https%3A%2F%2F[MY-MATRIX]%2Fclient%2F&org.matrix.msc3824.action=login HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" [0 dbevts]
2023-11-22 14:30:26,941 - saml2.sigver - 850 - ERROR - POST-1 - returncode=1
error=func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=453:obj=rsa-sha256:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature verification failed
FAIL
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "/tmp/tmprwgoyufy.xml"
output=
2023-11-22 14:30:26,941 - saml2.sigver - 1494 - ERROR - POST-1 - check_sig: ['/usr/bin/xmlsec1', '--verify', '--enabled-reference-uris', 'empty,same-doc', '--enabled-key-data', 'raw-x509-cert', '--pubkey-cert-pem', '/tmp/tmpnyhx53_2.pem', '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:protocol:Response', '--node-id', '_61a09c8608cf8d8dba609de8f42fa554', '--output', '/tmp/tmpp1jl60pc.xml', '/tmp/tmprwgoyufy.xml']
2023-11-22 14:30:26,941 - saml2.entity - 1454 - ERROR - POST-1 - Signature Error: Failed to verify signature
2023-11-22 14:30:26,941 - saml2.client_base - 800 - ERROR - POST-1 - XML parse error: Failed to verify signature
2023-11-22 14:30:26,942 - synapse.access.http.8008 - 465 - INFO - POST-1 - (null) - 8008 - {None} Processed request: 0.031sec/-0.000sec (0.005sec, 0.002sec) (0.000sec/0.000sec/0) 12367B 400 "POST /_synapse/client/saml2/authn_response HTTP/1.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0" [0 dbevts]
And here's how the certificates were generated (I'm not very comfortable with certificates) :
openssl req -x509 -newkey rsa:4096 -keyout /etc/matrix-synapse/saml-key.pem -out /etc/matrix-synapse/saml-cert.pem -nodes -days 9999 -subj "/CN=[MY-MATRIX]"
And all librairies seems installed on my server :
libxmlsec1-openssl/stable,now 1.2.37-2 amd64 [installé, automatique]
libxmlsec1/stable,now 1.2.37-2 amd64 [installé, automatique]
python3-xmlsec/stable,now 1.3.13-1+b1 amd64 [installé]
xmlsec1/stable,now 1.2.37-2 amd64 [installé]
Here is the SAML2 part in the homeserver.yaml :
saml2_config:
sp_config:
metadata:
local: ["/etc/matrix-synapse/shib-metadata.xml"]
key_file: /etc/matrix-synapse/saml-key.pem
cert_file: /etc/matrix-synapse/saml-cert.pem
encryption_keypairs:
- key_file: /etc/matrix-synapse/saml-key.pem
cert_file: /etc/matrix-synapse/saml-cert.pem
user_mapping_provider:
config:
mxid_source_attribute: uid
And here is the shib-metadata.xml :
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://[MY-IDP]/idp/shibboleth">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:mace:shibboleth:1.0">
<Extensions>
<shibmd:Scope regexp="false">[MY-MATRIX]</shibmd:Scope>
</Extensions>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[CERTIFICATE]</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[CERTIFICATE]</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://[MY-IDP]:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="1"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://[MY-IDP]/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://[MY-IDP]/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://[MY-IDP]/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://[MY-IDP]/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
</EntityDescriptor>
In the codes above :
[MY-MATRIX]corresponds to the url of my Matrix server[MY-IDP]is the url of my identity provider.
Thanks for any hint !