-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reference validation failed after (minor!) PHP update from 8.2.7 to 8.2.8 #257
Comments
PHP has been messing a lot with the builtin XML/DOM-libraries and as an author of Most notably:
This for me was my primary suspect, because in my case marshalling/unmarshalling XML documents led to different documents with namespace declarations in different places |
Well it seems this package no longer works in PHP 8.2.8 and up because of these changes. Pretty strange they would make these updates in a minor release. When looking at $data in method validateDigest i do see a difference between PHP 8.2.7 and 8.2.8. In 8.2.7 there are no prefixes in the <Assertion message, while in 8.2.8 every node in the <Assertion message has a saml: prefix. So it does 2 passes, the first SAML response validates fine, it's the second pass validating the Assertion which does not validate. Could this be the cause? How could this be fixed? Update: When disabling assertion encryption on the idp (codegreencreative/laravel-samlidp) via encrypt_assertion false, it works. See also the related issue below. Still needs a fix though. |
PHP DOM maintainer here.
This was not an intentional behaviour change, and our tests didn't catch this. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Yes, I found too that DOM bugs often occur when specific sequences of actions/tree changes are performed. So when they happen it's hard to find why and where. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Issue seems to be resolved in PHP 8.2.12! |
From the changelog:
Makes sense |
I'm running into an issue after updating my server from PHP 8.2.7 to 8.2.8.
Getting:
Reference validation failed from vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php:614
and SAML login fails.
It's in a Laravel 10 app using 24slides/laravel-saml2 (2.2.0), which uses onelogin/php-saml (4.1.0), which uses robrichards/xmlseclibs (3.1.1)
Everything works great on PHP 8.2.7 and before, no longer on 8.2.8 and up.
I have tried a possible fix in:
SAML-Toolkits/php-saml#562
But the author of onelogin/php-saml thinks the issue might be in xmlseclibs.
Any idea?
The text was updated successfully, but these errors were encountered: