SAML to OKTA - Caught exception in captiveportal::Controller::Root->dynamic_application

[coRpTitan]

Describe the bug
SAML auth towards OKTA.com does not work on guest portal. User is re-directed to Identity provider, there he/she can login. After successful login user is re-directed back to the portal, where user can see error:

Caught exception in captiveportal::Controller::Root->dynamic_application "Can't use string ("Can't call method "Attribute" on"...) as a HASH ref while "strict refs" in use at /usr/local/pf/lib/pf/Authentication/Source/SAMLSource.pm line 207."

To Reproduce
Configure PF SAML source as following:
I'm sure about validity of certificates.

Screenshots

Expected behavior
Portal should process SAML assertion message and allow user to login or display better error message indicating what is wrong.

Desktop (please complete the following information):

• OS: Windows 11
• Browser Edge
• Seems no to be client/browser related, as I have tried various combinations of client/browser.

Additional context
Attached screenshot from SAML config on PF and also assertion message captured from client's browser.
OKTA-SAML-ASSERTION.txt
( I have redacted sensitive values, but I'm sure about their validity as same Okta instance is used by other applications for SAML authentication ).

Is there any debug log I can share? I'm using PF in version 14.0 running on most recent Debian 12.

[coRpTitan]

Found out a problem.

OKTA SAML Assertion contained:
... <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">name.surename@domain.ltd</saml2:NameID> ....

So I thought setting in PF Username to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" would be sufficient. But it was not. I had to configure Attribute Statements in OKTA to "email -> user.login". After this modification SAML assertion has section saml2:AttributeStatement where I have value I can use. Then I configured PF's "Username attribute" to "email" and it all started working.

My conclusion: When OKTA was not configured with any Attribute Statements, related section was not present in XML assertion reply sent back to PF and then PF was trying to parse non-existing object and throwing unhanded exception.

Proposal for fix: If saml2:AttributeStatement section is not found in SAML response, PF portal should print more user-friendly message.

[jrouzierinverse]

Ok thank you for the update.
Better error handling will be included in the next release.

[coRpTitan]

@jrouzierinverse One more thing, not worth of opening separate Issue, but do you happen to know who is managing website for this project?

Page https://www.packetfence.org/support.html suggest users to connect to IRC channel #packetfence on the freenode network. Been there and that channel is empty, I assume ppl migrated to liberachat when there was "hostile" takeover of freenode few years ago. I have found few users on liberachat, so it might be worth of updating that page. If you happen to know who is managing that website, please let them know.

[jrouzierinverse]

Thank you for reporting I asked someone to look into it