When add a new app to access saml, I am facing this issue.
SSOService.php:1 GET https://saml.testing.net/www/saml2/idp/SSOService.php?spentityid=newapp&cookieTime=1459920375
net::ERR_TOO_MANY_REDIRECTS
in my local I don't facing any issue, but when I copy the codes to staging servers, then it shows ERR_TOO_MANY_REDIRECTS errors, keep redirecting, and not able to display the saml login page. The Staging servers with Load balancers, would this caused the error?
Thanks.
Update:
$config = array(
'baseurlpath' => 'https://saml.testing.net/',
'certdir' => '/etc/test/sslcerts/',
'tempdir' => '/tmp',
'datadir' => 'data/',
'auth.adminpassword' => '1234567',
'admin.protectindexpage' => TRUE,
'admin.protectmetadata' => TRUE,
'secretsalt' => 'xxxxxxxxx',
'timezone' => NULL,
// logging related options
'loggingdir' => '/var/log/simplesamlphp/',
'logging.level' => LOG_WARNING,
'logging.logfile' => 'simplesaml_' .date("Ymd") . '.log',
'debug' => true,
'showerrors' => true,
'logging.handler' => 'file',
'logging.facility' => LOG_USER,
'logging.processname' => 'simplesaml',
'debug.validatexml' => FALSE,
'enable.saml20-idp' => TRUE,
'enable.shib13-idp' => FALSE,
'enable.adfs-idp' => FALSE,
'enable.wsfed-sp' => FALSE,
'enable.authmemcookie' => TRUE,
'session.duration' => 2*(60*60),
'session.requestcache' => 4*(60*60),
'session.cookie.lifetime' => 0,
'session.cookie.path' => '/',
'session.phpsession.cookiename' => 'SimpleSAMLSessionID',
'session.cookie.name' => 'SimpleSAMLSessionID',
'session.cookie.domain' => NULL,
'session.cookie.secure' => FALSE,
'session.cookie.lifetime' => 0,
'session.datastore.timeout' => 4*(60*60),
'session.state.timeout' => (60*60),
'session.phpsession.savepath' => NULL,
'session.phpsession.httponly' => FALSE,
'session.disable_fallback' => FALSE,
'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
'session.rememberme.enable' => FALSE,
'session.rememberme.checked' => FALSE,
'session.rememberme.lifetime' => 1209600, // 14 days
'enable.http_post' => FALSE,
'language.available' => array('en'),
'language.default' => 'en',
'attributes.extradictionary' => NULL,
'theme.use' => 'oldtheme:abcdef',
'attributes.extradictionary' => NULL,
'default-wsfed-idp' => 'urn:federation:pingfederate:localhost',
'idpdisco.enableremember' => TRUE,
'idpdisco.rememberchecked' => TRUE,
'idpdisco.validate' => TRUE,
'idpdisco.extDiscoveryStorage' => NULL,
'idpdisco.layout' => 'dropdown',
'shib13.signresponse' => TRUE,
'authproc.idp' => array(
10 => "frogauth:LogHandler",
30 => 'core:LanguageAdaptor',
45 => array('class' => 'core:StatisticsWithAttribute', 'attributename' => 'realm', 'type' => 'saml20-idp-SSO'),
50 => 'core:AttributeLimit',
99 => 'core:LanguageAdaptor',
100 => "newauth:ToLogin",
101 => "newauth:VerifyLogin",
99 => 'core:LanguageAdaptor',
),
'authproc.sp' => array(
99 => 'core:LanguageAdaptor',
),
'metadata.sources' => array(
array('type' => 'flatfile'),
),
'store.type' => 'memcache',
'memcache_store.servers' => array(
array(
array('hostname' => '10.11.11.11'),
),
),
'memcache_store.expires' => 36 * (60*60),
'metadata.sign.enable' => FALSE,
'metadata.sign.privatekey' => NULL,
'metadata.sign.privatekey_pass' => NULL,
'metadata.sign.certificate' => NULL,
'proxy' => null,
'xframe_options'=> array( 'enable' => TRUE, 'trusted_sites' => array()),
'session.duration' => 2*(60*60),
'theme.use' => "newtheme:multitheme",
);
saml20-sp-remote.php
$metadata['newapp'] = array(
'AssertionConsumerService' => 'https://www.newapp.com/mobile/saml',
'SingleLogoutService' => 'https://www.newapp.com/mobile/logout',
'Theme' => 'mobile',
);
In my case the SameSite=None cookie attribute was the culprit. SameSite=None cookies must be used along with the secure attribute!
Solution:
'session.cookie.secure' => true // config.php
If your service is running behind a reverse proxy and is not running over https you additionally need to define the URL schema:
'baseurlpath' => 'https://my.url.com/<path_to_simple_saml>' // indicating the https schema (config.php)
If it helps at all, whenever this occurs in our setup it is because something has gone wrong with the cookies.
The user is not being seen as logged in at the service because the cookies aren't set correctly. Therefore they are redirected to the idp at which point they are shown as logged in and redirected back to the service; and repeat.
Basically your service thinks they aren't logged in, saml thinks they are; and they both keep passing the buck!
I've just run into a similar redirect issue. SimpleSAMLPHP would load fine but when trying to login as an admin it would go into an infinite loop loading the loginuserpass.php and as_login.php pages (redirected initially from /module.php/core/login-admin.php?ReturnTo=XXX).
After a lot of debugging I found that the problem was actually Varnish caching which was stopping the session state from being loaded. This happened no matter what session storage was selected (phpsession, memcache or sql).
Disabling varnish caching on the SimpleSAMLPHP paths fixed the issue for me.
Hope this helps anyone else with this issue.
And here is still another possible solution to try (worked for me after searching for hours, and after correcting the 'session.phpsession.savepath'): Go into the Firefox developer tools (or the browser of your choice) and in the "web storage" remove all cookies.
Close the connection when the page content ends.
In my case the culprit was a git/merge error in the session.phpsession.savepath ... fixing it solved the redirect issue
'session.phpsession.savepath' => "/path/to"
Related
So i need to send to an OKTA IDP a SLO request from my ServiceProvider make with SimpleSAMLphp.
I have try the logout function of SimpleSAMLphp, but they only logout on the ServiceProvider not on my IDP...
The code used :
require_once('/var/www/service_provider/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->logout();
I try to add in parameter to logout() function the SLO url of my IDP but missing some parameters in the request and no documentations on how to generate this missing parameters...
Thanks for help!
Best regards,
EDIT :
I put my authsources config:
'default-sp' => [
'saml:SP',
'entityID' => null,
'idp' => 'http://www.okta.com/ID',
'discoURL' => null,
'privatekey' => 'sp.pem',
'certificate' => 'sp.crt',
'sign.logout' => true,
'sign' => [
'logout' => true
]
],
EDIT:
The IDP metadata:
$metadata['http://www.okta.com/randomString'] = array (
'entityid' => 'http://www.okta.com/randomString',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
1 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'certValue',
),
),
);
You will need to first enable logout in the Okta app. This will require your service provider public cert since Okta wants logout requests to be signed.
Once you have enabled logout the SAML metadata for the Okta IdP changes to include the logout URLs. You will need to update the metadata you have in SSP so that SSP knows about Okta's logout url.
Lastly you need to enable signed logout messages from SSP. You do that with the 'sign.logout' => true option in your authsources.php
So finaly the bug was i'll missed to start the session in the logout script. So SimpleSAMLPHP never found the current session, like suggest Patrick in is comment the isAuthenticated was always false.
So to correct the bug i had at the start of my logout script a
session_start();
And it's works!
I'm using this Dompdf package for Laravel 4 by Jonathan Thuau
and I'm getting server error whenever I try to generate more than 9 gapes otherwise it works.
Below is the screenshot of the error
Below is also my config file , let me know if I have to change anything in that
return array(
'DOMPDF_TEMP_DIR' => sys_get_temp_dir(),
'DOMPDF_UNICODE_ENABLED' => true,
'DOMPDF_PDF_BACKEND' => 'CPDF',
'DOMPDF_DEFAULT_MEDIA_TYPE' => 'screen',
'DOMPDF_DEFAULT_PAPER_SIZE' => 'letter',
'DOMPDF_DEFAULT_FONT' => 'serif',
'DOMPDF_DPI' => 96,
'DOMPDF_ENABLE_PHP' => false,
'DOMPDF_ENABLE_REMOTE' => false,
'DOMPDF_ENABLE_CSS_FLOAT' => false,
'DOMPDF_ENABLE_JAVASCRIPT' => true,
'DEBUGPNG' => false,
'DEBUGKEEPTEMP' => false,
'DEBUGCSS' => false,
'DEBUG_LAYOUT' => false,
'DEBUG_LAYOUT_LINES' => true,
'DEBUG_LAYOUT_BLOCKS' => true,
'DEBUG_LAYOUT_INLINE' => true,
'DOMPDF_FONT_HEIGHT_RATIO' => 1.1,
'DEBUG_LAYOUT_PADDINGBOX' => true,
'DOMPDF_ENABLE_HTML5PARSER' => false,
'DOMPDF_ENABLE_FONTSUBSETTING' => false,
'DOMPDF_ADMIN_USERNAME' => 'user',
'DOMPDF_ADMIN_PASSWORD' => 'password',
);
The error was due to resource exhaustion and I have to add to following lines on top of the page and it worked
set_time_limit(0);
ini_set("memory_limit",-1);
ini_set('max_execution_time', 0);
I am using ZF2 authentication. It writes the authentication credentials into the storage properly.
Also I can see my session variable being set (checked by print_r($_SESSION)).
My doubts are:
1. the function, hasIdentity() from AuthenticationService.php always returns false even if the authentication is successful As a result I can't log in.
In my config/autoload/global.php I have config like this:
'session' => array(
'config' => array(
'class' => 'Zend\Session\Config\SessionConfig',
'options' => array(
'name' => 'testsuitestudio',
'remember_me_seconds' => $lifeTime,
'gc_maxlifetime' => $lifeTime,
'gc_divisor' =>1,
'gc_probability' =>1,
'cookie_lifetime' =>$lifeTime,
'cookie_domain' => $subDomainVar,
'cache_expire' => $lifeTime,
'save_path' => $sessionDirectory
),
),
'storage' => 'Zend\Session\Storage\SessionArrayStorage',
'validators' => array(
array(
'Zend\Session\Validator\RemoteAddr',
'Zend\Session\Validator\HttpUserAgent',
),
),
),
2. If I comment out :'cookie_domain' => $subDomainVar, from the above array, it works fine.
What could be the issue?
I've integrated the latest version of KCFinder into CKEditor - whenever I click the 'Browse Server' button on the CKEditor toolbar it opens the KCFinder dialog box and downloads the 'browse.php' file rather than display the contents of a directory.
It is almost as if for some reason the PHP engine stops working temporarily - i've not modified any of the htaccess files.
I'm currently using the standard config.php within the kcfinder directory - would anyone know what may have caused this and how to fix it?
// kcfinder/config.php
$_CONFIG = array(
'disabled' => true,
'denyZipDownload' => false,
'denyUpdateCheck' => false,
'denyExtensionRename' => false,
'theme' => "oxygen",
'uploadURL' => "",
'uploadDir' => "",
'dirPerms' => 0755,
'filePerms' => 0644,
'access' => array(
'files' => array(
'upload' => true,
'delete' => true,
'copy' => true,
'move' => true,
'rename' => true
),
'dirs' => array(
'create' => true,
'delete' => true,
'rename' => true
)
),
'deniedExts' => "exe com msi bat php phps phtml php3 php4 cgi pl",
'types' => array(
// CKEditor & FCKEditor types
'files' => "",
'flash' => "swf",
'images' => "*img",
// TinyMCE types
'file' => "",
'media' => "swf flv avi mpg mpeg qt mov wmv asf rm",
'image' => "*img",
),
'filenameChangeChars' => array(/*
' ' => "_",
':' => "."
*/),
'dirnameChangeChars' => array(/*
' ' => "_",
':' => "."
*/),
'mime_magic' => "",
'maxImageWidth' => 0,
'maxImageHeight' => 0,
'thumbWidth' => 100,
'thumbHeight' => 100,
'thumbsDir' => ".thumbs",
'jpegQuality' => 90,
'cookieDomain' => "",
'cookiePath' => "",
'cookiePrefix' => 'KCFINDER_',
// THE FOLLOWING SETTINGS CANNOT BE OVERRIDED WITH SESSION CONFIGURATION
'_check4htaccess' => true,
//'_tinyMCEPath' => "/tiny_mce",
'_sessionVar' => &$_SESSION['KCFINDER'],
//'_sessionLifetime' => 30,
//'_sessionDir' => "/full/directory/path",
//'_sessionDomain' => ".mysite.com",
//'_sessionPath' => "/my/path",
);
?>
I got the same problem and I found that the .htaccess file in the kcfinder dir was precisely shut the php engine off. I removed the .htaccess file and then it worked. I do not understand why this shutting off was necessary. Security??
Well, I still get a problem to point at the right directory, but now I see something !!
One comment here about the CONFIG array here above. The attribute disabled have to be put to false, and it is often suggested to be done through a SESSION variable (put $_SESSION['KCFINDER'] = array();
$_SESSION['KCFINDER']['disabled'] = false; after the session_start() ), and not directly in the config file.
I am trying to authenticate using SAML in my web app.
I followed the IdP quick start and the SP quick start user guides and came up woth the configuration below
which fails with :
Backtrace:
1 /app_path/application/lib/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /app_path/application/lib/simplesamlphp/lib/SAML2/Binding.php:81 (SAML2_Binding::getCurrentBinding)
1 /app_path/application/lib/simplesamlphp/modules/saml/lib/IdP/SAML2.php:266 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /app_path/application/lib/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
Setup :
My app runs locally with the host : trunk.sam.net
Simplesaml, SP, is included in the app as a library and accessible at : trunk.sam.net/simplesaml
Simplesaml, IdP, is installed locally and runs at : auth.sam.net
Both simplesaml are actually using the same code and configuration files (they share the same document root)
Configuration :
config.php
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
authsources.php
'default-sp-trunk.sam.net' => array(
'saml:SP',
'entityID' => 'http://trunk.sam.net',
'idp' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'ssoPortalUrl'=> 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
'bkmapping' => array(
'login' => 'uid',
'eMail' => 'mail'
)
),
'example-userpass' => array(
'exampleauth:UserPass',
'shf:pwd' => array(
'uid' => array('shf'),
'eduPersonAffiliation' => array('mail', 'shf#bk-soft.com')
),
'shl:pwd' => array(
'uid' => array('shl')
),
),
saml20-idp-hosted.php
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => '__DEFAULT__',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'example-userpass',
/*
* The interoperable SAML 2 profile specifies that attributes should be delivered using the urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat.
* We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration:
*/
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
saml20-idp-remote.php
$metadata['http://auth.sam.net/simplesaml/saml2/idp/metadata.php'] = array (
'entityid' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'contacts' =>
array (0 =>
array (
'contactType' => 'technical',
'surName' => 'Administrator',
'emailAddress' => array (0 => 'support#bluekiwi-software.com'),
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' => array (0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array ( 0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (0 => array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
),
);
saml20-sp-remote.php
$metadata['http://trunk.sam.net'] = array (
'AssertionConsumerService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp-trunk.sam.net',
'SingleLogoutService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp-trunk.sam.net',
);
Could anyone point me to what I did wrong ?
Am i missing a configuration entry / file ?
Should I use separate simplesaml installations ?
Thanks for your advice
The problem was that the SP and IdP need to be two different installations of simple saml.
I copied the source code to another folder, edited the vhost I used for the IdP (auth.sam.net) and everything worked. The configuration was OK.
What does your simpleSAML IDP authenticate against? AD?
Do you simply want your application to authenticate against the IDP repository?
Why do you need the simpleSAML SP?
Could your application authenticate directly against the simpleSAML IDP?
You normally use simpleSAML SP in something like the following:
AD <-- ADFS <-- simpleSAML SP <-- SAML application.