So i need to send to an OKTA IDP a SLO request from my ServiceProvider make with SimpleSAMLphp.
I have try the logout function of SimpleSAMLphp, but they only logout on the ServiceProvider not on my IDP...
The code used :
require_once('/var/www/service_provider/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->logout();
I try to add in parameter to logout() function the SLO url of my IDP but missing some parameters in the request and no documentations on how to generate this missing parameters...
Thanks for help!
Best regards,
EDIT :
I put my authsources config:
'default-sp' => [
'saml:SP',
'entityID' => null,
'idp' => 'http://www.okta.com/ID',
'discoURL' => null,
'privatekey' => 'sp.pem',
'certificate' => 'sp.crt',
'sign.logout' => true,
'sign' => [
'logout' => true
]
],
EDIT:
The IDP metadata:
$metadata['http://www.okta.com/randomString'] = array (
'entityid' => 'http://www.okta.com/randomString',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
1 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'certValue',
),
),
);
You will need to first enable logout in the Okta app. This will require your service provider public cert since Okta wants logout requests to be signed.
Once you have enabled logout the SAML metadata for the Okta IdP changes to include the logout URLs. You will need to update the metadata you have in SSP so that SSP knows about Okta's logout url.
Lastly you need to enable signed logout messages from SSP. You do that with the 'sign.logout' => true option in your authsources.php
So finaly the bug was i'll missed to start the session in the logout script. So SimpleSAMLPHP never found the current session, like suggest Patrick in is comment the isAuthenticated was always false.
So to correct the bug i had at the start of my logout script a
session_start();
And it's works!
Related
I have created a link from my web directory such that https://resolute.organization.in/sso points to the simplesaml directory /var/www/simplesamlphp/www
My simpleSAML configuration page:
The complete link https://resolute.organization.in/sso/module.php/saml/sp/saml2-acs.php/default-sp shows 404 Not Found while testing Authentication Sources --> default-sp.
My config.php:
$config = ['baseurlpath' => 'https://resolute.organization.in/sso/',
'secretsalt' => 'my_secret_salt',
'auth.adminpassword' => 'my_admin_pass',
];
Rest all are default values in config.php
My authsources.php:
$config = [
'admin' => [
'core:AdminPassword',
],
'default-sp' => [
'saml:SP',
'entityID' => 'https://resolute.organization.in/',
'idp' => 'https://sts.windows.net/{some-unique-key}/', //From metadata.xml for the app with entity ID in AD as *https://resolute.organization.in/*
'discoURL' => null,
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'eduPersonTargetedID',
],
]
My metadata array in saml20-idp-remote.php:
$metadata['https://sts.windows.net/{some-unique-key}/'] = array (
'entityid' => 'https://sts.windows.net/{some-unique-key}/',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '{really_long_key}',
),
),
);
My Federation page:
The [show metadata] link shows 404 as well, the link in the URL bar in this case is:
https://resolute.organization.in/sso/module.php/saml/sp/metadata.php/default-sp?output=xhtml
IdP metadata link shows the metadata array properly.
Please help me out with what am I missing here as I have been breaking my head over this for a few days now.
Figured out the issue, it had something to do with Nginx server configuration that could not handle multiple php pages in one link. Switched to Apache and everything works fine.
It depends on how php handles the url parameters and occurs when using php-fpm either with NGINX or Apache mpm_worker/event.
In order to fix this, set
cgi.fix_pathinfo=1 in php.ini
I try to get working test connection with Identity Provider as Service Provider using SAML 2.0. I am using Yii2 and SimpleSamlPhp library. To do this I need to fill in metadata for identity provider in file "simplesamlphp-sp/metadata/saml20-idp-remote.php". The problem is I got just XML file. I know that it is possible to convert XML metadata to PHP using built-in tool at http://saml.yourdomain.com/simplesaml/admin/metadata-converter.php
but that tool just doesn't work. If I paste my XML file and press "Parse" page will be loading forever.
I have checked my XML file with validation tool (https://www.samltool.com/validate_xml.php) and it is valid.
Is there any online tool to convert XML metadata to PHP?
Here XML I use just in case:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="aselect-s.entree.kennisnet.nl" entityID="aselect-s.entree.kennisnet.nl"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#aselect-s.entree.kennisnet.nl"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>wfZL1iUy/Gvct864xEiDf1+gtf8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>HmkwwMNuwbLCQboYC2aQXdPYfg4HeCrXwJpRf4yC/qP8DHkzk6Sg27DshUv1x40OaDRXSGm6v7LvVMsYBtBHnesJo5GRTTHJGZRyut3EP/i0exmY1DSjHN8sN3TJNeIIGP0AE4KK0QNXe7msOyn/tHxfAQKycYJmI3KWCMwkt1WoDnLLJZKhRT+SHI1DRYPJtL8nekHTRmCx78oFeK/ilhRk6Z1qw992Oob6Ag4nBht3yS4fEg/8nCW1DtX5YhMPdotpZIIbPAI4nte95viDGjYAebTRcuNui4UcYaGJzvj1geO9C47ZjKHRKRYdrTrbl4n3Ah1FRnQmnTEJ39oIZVPPkBc1N+hOcc8bw75yvP19DNF100dahtQ3OgsAfnpnEcgseXuOmPnBNFrxEIT1d4bY9Os7ZfWlNqDA1EDF/jMtUq2gT64LP55ZzQDzW7LipF8s7H4sWoaNqDyEbuZJsgYCG26ZzDAhLQlHrM7tl2a6erpmu0csmYds+MKkRq8vY8Tdx4cWas2n4VvCRGmRKlnmIRcoYWj7vRswKio/eber90s5smS76askoYiyHl0iZWyhUWn5wICRwUEdHwVhg2CYW334hbt4EGZ8epbTupZBvihG51iZOWz/ZJMrhFok7fOsiXrQ7eLajjhCDOlcGEupKQyLgGNOdWnFTzEkqMQ=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIF4TCCA8mgAwIBAgIEXXr4LzANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCTkwxFTATBgNV
BAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVybWVlcjEcMBoGA1UEChMTU3RpY2h0aW5n
IEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVyYXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5z
dGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwHhcNMTcwNzI0MTMzMTEwWhcNMjIwOTAxMTMzMTEw
WjCBoDELMAkGA1UEBhMCTkwxFTATBgNVBAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVy
bWVlcjEcMBoGA1UEChMTU3RpY2h0aW5nIEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVy
YXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5zdGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzk5qEmbwFvrVVDApB2ggPoYQQiIXNiW+1J4fId9p5
51vGgXBjVQvoYPcYpLHhHdh+LaxMWpCES67NUIXZODZtqfj6Q3iQkqE6+N75RSRg4sPG/FmsYCnI
TBNfQyVIyNfo/5WvGbCtKZarXMtYk6hthRuwDcxOf4xAhALyS3x6cRmedSpZVBg8Ysgdriivf4AQ
lNy7yHxhN+vRWJ4F5D1ZFg5JKNl5o4uh2QVLymIH4MJAe5KMfsEQao6HTQgWRLWHcmfTCMDlYyZv
149iCwPrN7rl8tI1BBx9gnf6Yrbc4VWGFn+rnEYub4CcuLSgc0f6uUrL/AhJwy+2PaHXAcnrpQ7g
71BOG1hbHgpdnr+dRsjzHFUf4axBsVqxr6scTXfcYDzMK2HyGheGjYpa8uX+b1s9V+0KMWbBIp7X
TmJDoTnrHj7K+pXAa1ZUK3/kLuexRYIDf6MUh6wTn4AT8v/pERdg5HdIcV8pg/cilxkSu7iwXGgn
ZpGzJYmfu0NcZLbGea1fEpAAB+0yHw1M3mx6FSKPE27DkHK592B0h1GzX6OM0ngURMl7gK+jVwGH
m6JJrKaSqSOXRy79a3HY7W8+WLMOlssq4aJT5nhxWGBDy+aSy0W+frhKV3WeXevYqG/gRiv8WVV+
m2D29c49cMzr18Z5+gkAuCJg7Sha6AzyYwIDAQABoyEwHzAdBgNVHQ4EFgQUaE7jTfVApSIl5iNX
6FsEFgSLBC4wDQYJKoZIhvcNAQELBQADggIBAKgaSgLmtFYFU3sNPrRJSAd+xqb1TE7GJGC1ywNd
SicZiV5MVkFYzm7UkUArbuBnFspkMaxYk4pgXvJQrGppEJAhGfpOwsSNZcn35hRfvvGpbiIPw4PN
c6//g5qbWXgVqkzzNZ3Wu6HbG5zBznO1kFu1izXIAIJC534EGbkAvcrn5axSOZt4eR31lSsgckNk
QLV568kyMi3i/dvwC5FL12dbCASqNt8+RvUynhC0BpVJ+ihppPMEYxFcoLorh5uXNpPv3CiUc55g
msjF57VYmicHghikNQ31WAuKntanyxExLOwSumM7MJR411OF+V+NmpO7x+Wixzxv0tPRh5Wyo6vG
puQWTMiGz2idGIfaxiJ8JXa9ubUfOpjrXsgtkYlu1R3K2Cbt9n7V2UaVNyGQMT2m6WCupPXaP/UE
DwwVN+YKl7O/tLUYRvmTnOed5zpOwX6WELT9Gshmi9T3lVn/p3XnGxxz8RpnrcQbc/MvGjybsRsj
6uFjsGWLBSqhn9e10awAl9JrJtojDje7PhADopUpe9dGbKBBgUBewDorkf55L+l5XNiH3f+Ne7jn
7uD696761sUpsGnDlWjf6oGIsG8YulDhAf8hZTOlB4Xi3GowtQ42gCKVgE1cgXeDRjkOIgSHhXuF
N99D5dVbx2vmPcidF8Lqre2S6R7AvpP0vVuh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIF4TCCA8mgAwIBAgIEXXr4LzANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCTkwxFTATBgNV
BAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVybWVlcjEcMBoGA1UEChMTU3RpY2h0aW5n
IEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVyYXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5z
dGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwHhcNMTcwNzI0MTMzMTEwWhcNMjIwOTAxMTMzMTEw
WjCBoDELMAkGA1UEBhMCTkwxFTATBgNVBAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVy
bWVlcjEcMBoGA1UEChMTU3RpY2h0aW5nIEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVy
YXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5zdGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzk5qEmbwFvrVVDApB2ggPoYQQiIXNiW+1J4fId9p5
51vGgXBjVQvoYPcYpLHhHdh+LaxMWpCES67NUIXZODZtqfj6Q3iQkqE6+N75RSRg4sPG/FmsYCnI
TBNfQyVIyNfo/5WvGbCtKZarXMtYk6hthRuwDcxOf4xAhALyS3x6cRmedSpZVBg8Ysgdriivf4AQ
lNy7yHxhN+vRWJ4F5D1ZFg5JKNl5o4uh2QVLymIH4MJAe5KMfsEQao6HTQgWRLWHcmfTCMDlYyZv
149iCwPrN7rl8tI1BBx9gnf6Yrbc4VWGFn+rnEYub4CcuLSgc0f6uUrL/AhJwy+2PaHXAcnrpQ7g
71BOG1hbHgpdnr+dRsjzHFUf4axBsVqxr6scTXfcYDzMK2HyGheGjYpa8uX+b1s9V+0KMWbBIp7X
TmJDoTnrHj7K+pXAa1ZUK3/kLuexRYIDf6MUh6wTn4AT8v/pERdg5HdIcV8pg/cilxkSu7iwXGgn
ZpGzJYmfu0NcZLbGea1fEpAAB+0yHw1M3mx6FSKPE27DkHK592B0h1GzX6OM0ngURMl7gK+jVwGH
m6JJrKaSqSOXRy79a3HY7W8+WLMOlssq4aJT5nhxWGBDy+aSy0W+frhKV3WeXevYqG/gRiv8WVV+
m2D29c49cMzr18Z5+gkAuCJg7Sha6AzyYwIDAQABoyEwHzAdBgNVHQ4EFgQUaE7jTfVApSIl5iNX
6FsEFgSLBC4wDQYJKoZIhvcNAQELBQADggIBAKgaSgLmtFYFU3sNPrRJSAd+xqb1TE7GJGC1ywNd
SicZiV5MVkFYzm7UkUArbuBnFspkMaxYk4pgXvJQrGppEJAhGfpOwsSNZcn35hRfvvGpbiIPw4PN
c6//g5qbWXgVqkzzNZ3Wu6HbG5zBznO1kFu1izXIAIJC534EGbkAvcrn5axSOZt4eR31lSsgckNk
QLV568kyMi3i/dvwC5FL12dbCASqNt8+RvUynhC0BpVJ+ihppPMEYxFcoLorh5uXNpPv3CiUc55g
msjF57VYmicHghikNQ31WAuKntanyxExLOwSumM7MJR411OF+V+NmpO7x+Wixzxv0tPRh5Wyo6vG
puQWTMiGz2idGIfaxiJ8JXa9ubUfOpjrXsgtkYlu1R3K2Cbt9n7V2UaVNyGQMT2m6WCupPXaP/UE
DwwVN+YKl7O/tLUYRvmTnOed5zpOwX6WELT9Gshmi9T3lVn/p3XnGxxz8RpnrcQbc/MvGjybsRsj
6uFjsGWLBSqhn9e10awAl9JrJtojDje7PhADopUpe9dGbKBBgUBewDorkf55L+l5XNiH3f+Ne7jn
7uD696761sUpsGnDlWjf6oGIsG8YulDhAf8hZTOlB4Xi3GowtQ42gCKVgE1cgXeDRjkOIgSHhXuF
N99D5dVbx2vmPcidF8Lqre2S6R7AvpP0vVuh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/artifact" index="0"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sp/sso/logout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sp/sso/logout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sp/sso/logout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sp/sso/logout"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sp/sso/web" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sp/sso/web" index="1" isDefault="false"/></md:SPSSODescriptor><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIF4TCCA8mgAwIBAgIEXXr4LzANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCTkwxFTATBgNV
BAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVybWVlcjEcMBoGA1UEChMTU3RpY2h0aW5n
IEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVyYXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5z
dGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwHhcNMTcwNzI0MTMzMTEwWhcNMjIwOTAxMTMzMTEw
WjCBoDELMAkGA1UEBhMCTkwxFTATBgNVBAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVy
bWVlcjEcMBoGA1UEChMTU3RpY2h0aW5nIEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVy
YXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5zdGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzk5qEmbwFvrVVDApB2ggPoYQQiIXNiW+1J4fId9p5
51vGgXBjVQvoYPcYpLHhHdh+LaxMWpCES67NUIXZODZtqfj6Q3iQkqE6+N75RSRg4sPG/FmsYCnI
TBNfQyVIyNfo/5WvGbCtKZarXMtYk6hthRuwDcxOf4xAhALyS3x6cRmedSpZVBg8Ysgdriivf4AQ
lNy7yHxhN+vRWJ4F5D1ZFg5JKNl5o4uh2QVLymIH4MJAe5KMfsEQao6HTQgWRLWHcmfTCMDlYyZv
149iCwPrN7rl8tI1BBx9gnf6Yrbc4VWGFn+rnEYub4CcuLSgc0f6uUrL/AhJwy+2PaHXAcnrpQ7g
71BOG1hbHgpdnr+dRsjzHFUf4axBsVqxr6scTXfcYDzMK2HyGheGjYpa8uX+b1s9V+0KMWbBIp7X
TmJDoTnrHj7K+pXAa1ZUK3/kLuexRYIDf6MUh6wTn4AT8v/pERdg5HdIcV8pg/cilxkSu7iwXGgn
ZpGzJYmfu0NcZLbGea1fEpAAB+0yHw1M3mx6FSKPE27DkHK592B0h1GzX6OM0ngURMl7gK+jVwGH
m6JJrKaSqSOXRy79a3HY7W8+WLMOlssq4aJT5nhxWGBDy+aSy0W+frhKV3WeXevYqG/gRiv8WVV+
m2D29c49cMzr18Z5+gkAuCJg7Sha6AzyYwIDAQABoyEwHzAdBgNVHQ4EFgQUaE7jTfVApSIl5iNX
6FsEFgSLBC4wDQYJKoZIhvcNAQELBQADggIBAKgaSgLmtFYFU3sNPrRJSAd+xqb1TE7GJGC1ywNd
SicZiV5MVkFYzm7UkUArbuBnFspkMaxYk4pgXvJQrGppEJAhGfpOwsSNZcn35hRfvvGpbiIPw4PN
c6//g5qbWXgVqkzzNZ3Wu6HbG5zBznO1kFu1izXIAIJC534EGbkAvcrn5axSOZt4eR31lSsgckNk
QLV568kyMi3i/dvwC5FL12dbCASqNt8+RvUynhC0BpVJ+ihppPMEYxFcoLorh5uXNpPv3CiUc55g
msjF57VYmicHghikNQ31WAuKntanyxExLOwSumM7MJR411OF+V+NmpO7x+Wixzxv0tPRh5Wyo6vG
puQWTMiGz2idGIfaxiJ8JXa9ubUfOpjrXsgtkYlu1R3K2Cbt9n7V2UaVNyGQMT2m6WCupPXaP/UE
DwwVN+YKl7O/tLUYRvmTnOed5zpOwX6WELT9Gshmi9T3lVn/p3XnGxxz8RpnrcQbc/MvGjybsRsj
6uFjsGWLBSqhn9e10awAl9JrJtojDje7PhADopUpe9dGbKBBgUBewDorkf55L+l5XNiH3f+Ne7jn
7uD696761sUpsGnDlWjf6oGIsG8YulDhAf8hZTOlB4Xi3GowtQ42gCKVgE1cgXeDRjkOIgSHhXuF
N99D5dVbx2vmPcidF8Lqre2S6R7AvpP0vVuh</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/artifact" index="0"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sso/web"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sso/web"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sso/web"/></md:IDPSSODescriptor><md:Organization><md:OrganizationName xml:lang="en">skn</md:OrganizationName><md:OrganizationDisplayName xml:lang="en">Stichting Kennisnet</md:OrganizationDisplayName><md:OrganizationURL xml:lang="en">http://www.kennisnetfederatie.nl</md:OrganizationURL></md:Organization><md:ContactPerson contactType="administrative"><md:Company>Stichting Kennisnet</md:Company><md:EmailAddress>entree#kennisnet.nl</md:EmailAddress><md:TelephoneNumber>0800-KENNISNET (0800-536 647 638)</md:TelephoneNumber></md:ContactPerson></md:EntityDescriptor>
Sounds like there is an issue with your SSP installation. It converts fine with mine
saml2-idp-remote
$metadata['aselect-s.entree.kennisnet.nl'] = array (
'entityid' => 'aselect-s.entree.kennisnet.nl',
'description' =>
array (
'en' => 'skn',
),
'OrganizationName' =>
array (
'en' => 'skn',
),
'name' =>
array (
'en' => 'Stichting Kennisnet',
),
'OrganizationDisplayName' =>
array (
'en' => 'Stichting Kennisnet',
),
'url' =>
array (
'en' => 'http://www.kennisnetfederatie.nl',
),
'OrganizationURL' =>
array (
'en' => 'http://www.kennisnetfederatie.nl',
),
'contacts' =>
array (
0 =>
array (
'contactType' => 'administrative',
'company' => 'Stichting Kennisnet',
'emailAddress' =>
array (
0 => 'entree#kennisnet.nl',
),
'telephoneNumber' =>
array (
0 => '0800-KENNISNET (0800-536 647 638)',
),
),
),
'metadata-set' => 'saml20-idp-remote',
'sign.authnrequest' => true,
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sso/web',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sso/web',
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/sso/web',
),
),
'SingleLogoutService' =>
array (
),
'ArtifactResolutionService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => 'https://aselect-s.entree.kennisnet.nl/openaselect/profiles/saml2/artifact',
'index' => 0,
),
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIF4TCCA8mgAwIBAgIEXXr4LzANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCTkwxFTATBgNV
BAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVybWVlcjEcMBoGA1UEChMTU3RpY2h0aW5n
IEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVyYXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5z
dGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwHhcNMTcwNzI0MTMzMTEwWhcNMjIwOTAxMTMzMTEw
WjCBoDELMAkGA1UEBhMCTkwxFTATBgNVBAgTDFp1aWQtSG9sbGFuZDETMBEGA1UEBxMKWm9ldGVy
bWVlcjEcMBoGA1UEChMTU3RpY2h0aW5nIEtlbm5pc25ldDEZMBcGA1UECxMQRW50cmVlIEZlZGVy
YXRpZTEsMCoGA1UEAxMjYXNlbGVjdC5zdGFnaW5nLmVudHJlZS5rZW5uaXNuZXQubmwwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzk5qEmbwFvrVVDApB2ggPoYQQiIXNiW+1J4fId9p5
51vGgXBjVQvoYPcYpLHhHdh+LaxMWpCES67NUIXZODZtqfj6Q3iQkqE6+N75RSRg4sPG/FmsYCnI
TBNfQyVIyNfo/5WvGbCtKZarXMtYk6hthRuwDcxOf4xAhALyS3x6cRmedSpZVBg8Ysgdriivf4AQ
lNy7yHxhN+vRWJ4F5D1ZFg5JKNl5o4uh2QVLymIH4MJAe5KMfsEQao6HTQgWRLWHcmfTCMDlYyZv
149iCwPrN7rl8tI1BBx9gnf6Yrbc4VWGFn+rnEYub4CcuLSgc0f6uUrL/AhJwy+2PaHXAcnrpQ7g
71BOG1hbHgpdnr+dRsjzHFUf4axBsVqxr6scTXfcYDzMK2HyGheGjYpa8uX+b1s9V+0KMWbBIp7X
TmJDoTnrHj7K+pXAa1ZUK3/kLuexRYIDf6MUh6wTn4AT8v/pERdg5HdIcV8pg/cilxkSu7iwXGgn
ZpGzJYmfu0NcZLbGea1fEpAAB+0yHw1M3mx6FSKPE27DkHK592B0h1GzX6OM0ngURMl7gK+jVwGH
m6JJrKaSqSOXRy79a3HY7W8+WLMOlssq4aJT5nhxWGBDy+aSy0W+frhKV3WeXevYqG/gRiv8WVV+
m2D29c49cMzr18Z5+gkAuCJg7Sha6AzyYwIDAQABoyEwHzAdBgNVHQ4EFgQUaE7jTfVApSIl5iNX
6FsEFgSLBC4wDQYJKoZIhvcNAQELBQADggIBAKgaSgLmtFYFU3sNPrRJSAd+xqb1TE7GJGC1ywNd
SicZiV5MVkFYzm7UkUArbuBnFspkMaxYk4pgXvJQrGppEJAhGfpOwsSNZcn35hRfvvGpbiIPw4PN
c6//g5qbWXgVqkzzNZ3Wu6HbG5zBznO1kFu1izXIAIJC534EGbkAvcrn5axSOZt4eR31lSsgckNk
QLV568kyMi3i/dvwC5FL12dbCASqNt8+RvUynhC0BpVJ+ihppPMEYxFcoLorh5uXNpPv3CiUc55g
msjF57VYmicHghikNQ31WAuKntanyxExLOwSumM7MJR411OF+V+NmpO7x+Wixzxv0tPRh5Wyo6vG
puQWTMiGz2idGIfaxiJ8JXa9ubUfOpjrXsgtkYlu1R3K2Cbt9n7V2UaVNyGQMT2m6WCupPXaP/UE
DwwVN+YKl7O/tLUYRvmTnOed5zpOwX6WELT9Gshmi9T3lVn/p3XnGxxz8RpnrcQbc/MvGjybsRsj
6uFjsGWLBSqhn9e10awAl9JrJtojDje7PhADopUpe9dGbKBBgUBewDorkf55L+l5XNiH3f+Ne7jn
7uD696761sUpsGnDlWjf6oGIsG8YulDhAf8hZTOlB4Xi3GowtQ42gCKVgE1cgXeDRjkOIgSHhXuF
N99D5dVbx2vmPcidF8Lqre2S6R7AvpP0vVuh',
),
),
);
I'm using SimpleSAMLphp as an IdP for a bunch of applications we have, chiefly a Drupal site. I've used SQL as an authsource on the IdP and that works to authenticate users, the response returns to Drupal and the users are authenticated. All good !
However we also need to use social login (login with Twitter, Facebook etc). SimpleSAMLphp supports OAuth, I've set it up and the login works on the IdP with the social accounts, SimpleSAML creates the session and cookies but I'm not authenticated on the Drupal site.
What I need to do is complete the request by returning to Drupal and authenticating the user there, that is, to issue an assertion back to Drupal on success.
Just like in the SQL source, I've mapped the attributes in each of the source files (Twitter.php, Facebook.php etc) however where SQL auth returns to Drupal and creates a session, the others just display their attributes in a template.
How do I generate and send back an assertion for Drupal from these social logins so as to authenticate my users there ?
saml10-sp-remote.php (IdP)
$metadata['https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/metadata.php/sp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-logout.php/sp',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-logout.php/sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-acs.php/sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml1-acs.php/sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-acs.php/sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml1-acs.php/sp/artifact',
),
),
'certData' => 'xxxx',
);
authsources.php (IdP)
'sql' => array(
'sqlauth:SQL',
'dsn' => 'mysql:host=localhost;dbname=db',
'username' => 'user',
'password' => 'pass',
'query' => 'SELECT u.uid, u.name, u.mail, r.name AS role FROM users u JOIN users_roles ur on ur.uid = u.uid JOIN role r on r.rid = ur.rid where u.mail = :username AND pass = MD5(:password);',
),
'facebook' => array(
'authfacebook:Facebook',
'api_key' => 'xxxx',
'secret' => 'xxxx',
'req_perms' => 'email',
),
'linkedin' => array(
'authlinkedin:LinkedIn',
'key' => 'xxxx',
'secret' => 'xxxx',
),
'twitter' => array(
'authtwitter:Twitter',
'key' => 'xxxx',
'secret' => 'xxxx',
'force_login' => true,
),
saml20-idp-remote.php (SP, Drupal)
$metadata['http://idp_url/simplesaml/saml2/idp/metadata.php'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'http://idp_url/simplesaml/saml2/idp/metadata.php',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://idp_url/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://idp_url/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'xxx',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
saml20-idp-hosted.php (IdP)
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
'privatekey' => 'mysite.com.key',
'certificate' => 'mysite.com.crt',
'auth' => 'sql',
);
Background
Your issue is that your Identity Provider is configured to use sql auth and not twitter, linkedin, etc. The drupal site will send you to the IDP and the IDP is only knowledgable about sql. While you do have authsources configured for social, SSP lets you test and verify those independently of your IDP configuration. This is why SSP is just display the social attributes in a template, and not letting you log into drupal with them.
Option A
multiauth will let you define an authsource that includes your social and sql. You then configure your idp to use the new multiauth authsource
Option B
An IDP per social provider. We run an IDP per social provider. We have multiple IDPs (with unique entityIDs) define in saml20-idp-hosted.php - one for each social account. We do it this way because each of our SPs only wants to trust a subset of all configured social IDPs.
Each SP in this option would include the additional IDP data in saml20-idp-remote.php
Option C
Outsource. We run this sort of social to saml gateway as a SaaS product. This makes sense if you don't like running things yourself, or if you have a several SPs that all want different social providers, or to use different social api keys/secrets per SP.
I've been following along this tutorial:
http://www.worldgoneweb.com/2013/installing-simplesamlphp-and-use-it-as-sp-and-idp-for-development-env-only/
.... it has really helped to setup authentication between SP and IdP. However, when configuring the metadata/saml20-remote-sp.php file it tells me to copy and paste the contents of a box (SP: Federation > Show metadata > simpleSAMLphp flat file format box) to that file. I've done this, and it works great for a single SP - I just don't really know how to add another SP. I checked the documentation but it only shows minimum set required, and no mention/example of multiple SPs.
Below is my IdP's metadata/saml20-remote-sp.php with a single SP:
$metadata['http://local-ssoidp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
);
How can I add additional SPs to this? I considered merging the arrays together (arrays given from each SP's show metadata page) but want to gain a little better understanding other than guesswork. Can anyone please advise on how this is done. Thanks.
You can just add a second SP under your first one.
So copy what you currently have and paste it at the bottom of the file. Then edit the second copy with the details of your second SP.
Cheers
I am trying to authenticate using SAML in my web app.
I followed the IdP quick start and the SP quick start user guides and came up woth the configuration below
which fails with :
Backtrace:
1 /app_path/application/lib/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /app_path/application/lib/simplesamlphp/lib/SAML2/Binding.php:81 (SAML2_Binding::getCurrentBinding)
1 /app_path/application/lib/simplesamlphp/modules/saml/lib/IdP/SAML2.php:266 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /app_path/application/lib/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
Setup :
My app runs locally with the host : trunk.sam.net
Simplesaml, SP, is included in the app as a library and accessible at : trunk.sam.net/simplesaml
Simplesaml, IdP, is installed locally and runs at : auth.sam.net
Both simplesaml are actually using the same code and configuration files (they share the same document root)
Configuration :
config.php
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
authsources.php
'default-sp-trunk.sam.net' => array(
'saml:SP',
'entityID' => 'http://trunk.sam.net',
'idp' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'ssoPortalUrl'=> 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
'bkmapping' => array(
'login' => 'uid',
'eMail' => 'mail'
)
),
'example-userpass' => array(
'exampleauth:UserPass',
'shf:pwd' => array(
'uid' => array('shf'),
'eduPersonAffiliation' => array('mail', 'shf#bk-soft.com')
),
'shl:pwd' => array(
'uid' => array('shl')
),
),
saml20-idp-hosted.php
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => '__DEFAULT__',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'example-userpass',
/*
* The interoperable SAML 2 profile specifies that attributes should be delivered using the urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat.
* We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration:
*/
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
saml20-idp-remote.php
$metadata['http://auth.sam.net/simplesaml/saml2/idp/metadata.php'] = array (
'entityid' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'contacts' =>
array (0 =>
array (
'contactType' => 'technical',
'surName' => 'Administrator',
'emailAddress' => array (0 => 'support#bluekiwi-software.com'),
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' => array (0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array ( 0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (0 => array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
),
);
saml20-sp-remote.php
$metadata['http://trunk.sam.net'] = array (
'AssertionConsumerService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp-trunk.sam.net',
'SingleLogoutService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp-trunk.sam.net',
);
Could anyone point me to what I did wrong ?
Am i missing a configuration entry / file ?
Should I use separate simplesaml installations ?
Thanks for your advice
The problem was that the SP and IdP need to be two different installations of simple saml.
I copied the source code to another folder, edited the vhost I used for the IdP (auth.sam.net) and everything worked. The configuration was OK.
What does your simpleSAML IDP authenticate against? AD?
Do you simply want your application to authenticate against the IDP repository?
Why do you need the simpleSAML SP?
Could your application authenticate directly against the simpleSAML IDP?
You normally use simpleSAML SP in something like the following:
AD <-- ADFS <-- simpleSAML SP <-- SAML application.