How to configure multiple SP for a single IdP - php

I've been following along this tutorial:
http://www.worldgoneweb.com/2013/installing-simplesamlphp-and-use-it-as-sp-and-idp-for-development-env-only/
.... it has really helped to setup authentication between SP and IdP. However, when configuring the metadata/saml20-remote-sp.php file it tells me to copy and paste the contents of a box (SP: Federation > Show metadata > simpleSAMLphp flat file format box) to that file. I've done this, and it works great for a single SP - I just don't really know how to add another SP. I checked the documentation but it only shows minimum set required, and no mention/example of multiple SPs.
Below is my IdP's metadata/saml20-remote-sp.php with a single SP:
$metadata['http://local-ssoidp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'http://local-mwqasys/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
),
),
);
How can I add additional SPs to this? I considered merging the arrays together (arrays given from each SP's show metadata page) but want to gain a little better understanding other than guesswork. Can anyone please advise on how this is done. Thanks.


You can just add a second SP under your first one.
So copy what you currently have and paste it at the bottom of the file. Then edit the second copy with the details of your second SP.
Cheers

Related

SimpleSAMLphp send SLO request to remote IDP Okta

So i need to send to an OKTA IDP a SLO request from my ServiceProvider make with SimpleSAMLphp.
I have try the logout function of SimpleSAMLphp, but they only logout on the ServiceProvider not on my IDP...
The code used :
require_once('/var/www/service_provider/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->logout();
I try to add in parameter to logout() function the SLO url of my IDP but missing some parameters in the request and no documentations on how to generate this missing parameters...
Thanks for help!
Best regards,
EDIT :
I put my authsources config:
'default-sp' => [
'saml:SP',
'entityID' => null,
'idp' => 'http://www.okta.com/ID',
'discoURL' => null,
'privatekey' => 'sp.pem',
'certificate' => 'sp.crt',
'sign.logout' => true,
'sign' => [
'logout' => true
]
],
EDIT:
The IDP metadata:
$metadata['http://www.okta.com/randomString'] = array (
'entityid' => 'http://www.okta.com/randomString',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
1 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'certValue',
),
),
);

You will need to first enable logout in the Okta app. This will require your service provider public cert since Okta wants logout requests to be signed.
Once you have enabled logout the SAML metadata for the Okta IdP changes to include the logout URLs. You will need to update the metadata you have in SSP so that SSP knows about Okta's logout url.
Lastly you need to enable signed logout messages from SSP. You do that with the 'sign.logout' => true option in your authsources.php

So finaly the bug was i'll missed to start the session in the logout script. So SimpleSAMLPHP never found the current session, like suggest Patrick in is comment the isAuthenticated was always false.
So to correct the bug i had at the start of my logout script a
session_start();
And it's works!

SimpleSAMLphp shows saml2-acs.php not found (error 404) when integrating with Microsoft Azure Directory SSO using SAML2

I have created a link from my web directory such that https://resolute.organization.in/sso points to the simplesaml directory /var/www/simplesamlphp/www
My simpleSAML configuration page:
The complete link https://resolute.organization.in/sso/module.php/saml/sp/saml2-acs.php/default-sp shows 404 Not Found while testing Authentication Sources --> default-sp.
My config.php:
$config = ['baseurlpath' => 'https://resolute.organization.in/sso/',
'secretsalt' => 'my_secret_salt',
'auth.adminpassword' => 'my_admin_pass',
];
Rest all are default values in config.php
My authsources.php:
$config = [
'admin' => [
'core:AdminPassword',
],
'default-sp' => [
'saml:SP',
'entityID' => 'https://resolute.organization.in/',
'idp' => 'https://sts.windows.net/{some-unique-key}/', //From metadata.xml for the app with entity ID in AD as *https://resolute.organization.in/*
'discoURL' => null,
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'eduPersonTargetedID',
],
]
My metadata array in saml20-idp-remote.php:
$metadata['https://sts.windows.net/{some-unique-key}/'] = array (
'entityid' => 'https://sts.windows.net/{some-unique-key}/',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '{really_long_key}',
),
),
);
My Federation page:
The [show metadata] link shows 404 as well, the link in the URL bar in this case is:
https://resolute.organization.in/sso/module.php/saml/sp/metadata.php/default-sp?output=xhtml
IdP metadata link shows the metadata array properly.
Please help me out with what am I missing here as I have been breaking my head over this for a few days now.

Figured out the issue, it had something to do with Nginx server configuration that could not handle multiple php pages in one link. Switched to Apache and everything works fine.

It depends on how php handles the url parameters and occurs when using php-fpm either with NGINX or Apache mpm_worker/event.
In order to fix this, set
cgi.fix_pathinfo=1 in php.ini

PushWoosh - Location based notifications via Remote API

I am looking to filter notifications based on users current location. I get that I can set geozones through the PushWoosh web-site, but I can't seem to find any way to do this through the remote API.
I want to do something like this:
$this->pwCall('createMessage',
array
(
'application' => 'XXXXX-XXXXX',
'auth' => 'XXXXXX[...]',
'lng' => 42,
'lat' => 42,
'range' => 1000,
'notifications' => array
(
array
(
"platforms" => array(3),
'send_date' => 'now',
"ignore_user_timezone" => true,
'content' => "$message",
'data' => array("type" => $type),
"android_header" => "$header",
)
)
)
);
In other words: Send the notification to any device within a certain range from a specific location, but I can't get it to work. Is it even possible to do something like this?
Thank you in advance!

Taking a sub panel in sugarcrm and making it into two, one that displays entries depending if a checkbox is checked, the other non checked entries

Taking a sub panel in sugarcrm and making it into two, one that displays entries depending if a checkbox is checked, the other non checked entries.
I have a module called mod_loaninvestor, and its sub panel is whole_subpanel_mod_loaninvestor_contacts
Now I know vardefs is where you create the duplicate and rename it like this
<?php
//WARNING: The contents of this file are auto-generated
// created: 2014-01-24 13:12:28
$layout_defs["Contacts"]["subpanel_setup"]['mod_loaninvestor_contacts'] = array (
'order' => 100,
'module' => 'mod_LoanInvestor',
'subpanel_name' => 'default',
'sort_order' => 'asc',
'sort_by' => 'id',
// 'where' => "(mod_LoanInvestor.active_investment == "1")",
'title_key' => 'LBL_MOD_LOANINVESTOR_CONTACTS_FROM_MOD_LOANINVESTOR_TITLE',
'get_subpanel_data' => 'mod_loaninvestor_contacts',
'top_buttons' =>
array (
/*
0 =>
array (
'widget_class' => 'SubPanelTopButtonQuickCreate',
),
1 =>
array (
'widget_class' => 'SubPanelTopSelectButton',
'mode' => 'MultiSelect',
),
*/
),
);
// created: 2014-01-24 13:12:28
$layout_defs["Contacts"]["subpanel_setup"]['mod_loaninvestor_contacts1'] = array (
'order' => 100,
'module' => 'mod_LoanInvestor',
'subpanel_name' => 'default',
'sort_order' => 'asc',
'sort_by' => 'id',
'title_key' => 'LBL_MOD_LOANINVESTOR_CONTACTS_FROM_MOD_LOANINVESTOR_TITLE',
'get_subpanel_data' => 'mod_loaninvestor_contacts',
'top_buttons' =>
array (
/*
0 =>
array (
'widget_class' => 'SubPanelTopButtonQuickCreate',
),
1 =>
array (
'widget_class' => 'SubPanelTopSelectButton',
'mode' => 'MultiSelect',
),
*/
),
);
?>
How would I make it so the first one would only show entries with the following checked
and the other display only entries with that field unchecked?
Thanks for your help!

You're halfway there. On top of defining new layoutdefs, you need to create a new subpanel definition.
Dig into mod_LoanInvestor and the metadata/subpanels/default.php and copy it to default2.php or whatever you'd like to call it. You'll want to use a WHERE clause to separate the two.
https://gist.github.com/matthewpoer/8871568
Here's a gist where I'm doing this with transactions records to seperate scheduled (future) transactions from past (posted payments).

Using SimpleSAML as SP and IDP for development environnement

I am trying to authenticate using SAML in my web app.
I followed the IdP quick start and the SP quick start user guides and came up woth the configuration below
which fails with :
Backtrace:
1 /app_path/application/lib/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /app_path/application/lib/simplesamlphp/lib/SAML2/Binding.php:81 (SAML2_Binding::getCurrentBinding)
1 /app_path/application/lib/simplesamlphp/modules/saml/lib/IdP/SAML2.php:266 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /app_path/application/lib/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
Setup :
My app runs locally with the host : trunk.sam.net
Simplesaml, SP, is included in the app as a library and accessible at : trunk.sam.net/simplesaml
Simplesaml, IdP, is installed locally and runs at : auth.sam.net
Both simplesaml are actually using the same code and configuration files (they share the same document root)
Configuration :
config.php
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
authsources.php
'default-sp-trunk.sam.net' => array(
'saml:SP',
'entityID' => 'http://trunk.sam.net',
'idp' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'ssoPortalUrl'=> 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
'bkmapping' => array(
'login' => 'uid',
'eMail' => 'mail'
)
),
'example-userpass' => array(
'exampleauth:UserPass',
'shf:pwd' => array(
'uid' => array('shf'),
'eduPersonAffiliation' => array('mail', 'shf#bk-soft.com')
),
'shl:pwd' => array(
'uid' => array('shl')
),
),
saml20-idp-hosted.php
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => '__DEFAULT__',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'example-userpass',
/*
* The interoperable SAML 2 profile specifies that attributes should be delivered using the urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat.
* We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration:
*/
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
saml20-idp-remote.php
$metadata['http://auth.sam.net/simplesaml/saml2/idp/metadata.php'] = array (
'entityid' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'contacts' =>
array (0 =>
array (
'contactType' => 'technical',
'surName' => 'Administrator',
'emailAddress' => array (0 => 'support#bluekiwi-software.com'),
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' => array (0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array ( 0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (0 => array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
),
);
saml20-sp-remote.php
$metadata['http://trunk.sam.net'] = array (
'AssertionConsumerService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp-trunk.sam.net',
'SingleLogoutService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp-trunk.sam.net',
);
Could anyone point me to what I did wrong ?
Am i missing a configuration entry / file ?
Should I use separate simplesaml installations ?
Thanks for your advice

The problem was that the SP and IdP need to be two different installations of simple saml.
I copied the source code to another folder, edited the vhost I used for the IdP (auth.sam.net) and everything worked. The configuration was OK.

What does your simpleSAML IDP authenticate against? AD?
Do you simply want your application to authenticate against the IDP repository?
Why do you need the simpleSAML SP?
Could your application authenticate directly against the simpleSAML IDP?
You normally use simpleSAML SP in something like the following:
AD <-- ADFS <-- simpleSAML SP <-- SAML application.

Categories