I am trying to get the WSO2 Identity Server (4.0.0) to authenticate simplesamlphp (1.10.0) sessions.
The WSO2 IS host is running # https://sim2:9443/ # IdP server.
The simplesamlphp scripts are running # http://dellperf1/simplesaml/ # Configured as SP
Configuration
On the the WSO2 end, I have configured an Issuer as follows:
wso2 IS Issuer Configuration
I have configured some users, both by using the "Add User" under configure -> User and Roles and by "Sign Up" function on the WSO2 IS homepage.
I have configured simplesamlphp as follows -
config/authsources.php
entityID matches "Issuer" in the WSO2 config - it's my company name, so I've obscured it.
14 // An authentication source which can authenticate against both SAML 2.0
15 // and Shibboleth 1.3 IdPs.
16 'default-sp' => array(
17 'saml:SP',
18
19 // The entity ID of this SP.
20 // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
21 'entityID' => '$ISSUER HIDDEN',
22
23 // The entity ID of the IdP this should SP should contact.
24 // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
25 // 'idp' => NULL,
26
27 // The URL to the discovery service.
28 // Can be NULL/unset, in which case a builtin discovery service will be used.
29 // 'discoURL' => NULL,
30 'privatekey' => 'saml.pem',
31 'certificate' => 'saml.crt',
32 ),
metadata/saml20-idp-remote.php
93 /*
94 * $MY IdP
95 */
96
97 $metadata['https://sim2.FQDN:9443'] = array(
98 'name' => array(
99 'en' => '$company IdP test server',
100 ),
101 'description' => 'WSO2 ID Server',
102 'SingleSignOnService' => 'https://sim2:9443/samlsso',
103 'SingleLogoutService' => 'https://sim2:9443/samlsso',
104 //'certFingerprint' => '04b3b08bce004c27458b3e85b125273e67ef062b'
105 'certFingerprint' => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d'
106
107 );
Whenever I visit http://dellperf1/simplesaml/ , select the Authentication tab -> Test Authentication sources -> default-sp and select "$company IdP test server", I am correctly redirected to the wso2 server and presented with the "SAML 2.0 based Single Sign-On" page.
This is where I hit problems. I don't seem to be able to authenticate using any user I have created, either using Add User, or Sign up.
I only get the following in the Carbon logs:
[2013-01-29 11:36:57,269] WARN {org.wso2.carbon.identity.sso.saml.processors.AuthnRequestProcessor} - Authentication Failure, invalid username or password.
The users are in the default profile, which has the following configured as roles: "identity,everyone".
If I try to log in using the (default) admin:admin password, I seem to be able to authenticate, but simplesamlphp throws an exception:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /var/simplesamlphp/lib/SAML2/Binding.php:95 (SAML2_Binding::getCurrentBinding)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:11 (require)
0 /var/simplesamlphp/www/module.php:135 (N/A)
I think I am hitting two issues here:
1) The users I am creating are unable to be authenticated using SAML - whereas the admin user can be. Why might this be? Profiles or policy issues?
2) Even if I could authenticate with a users I have created, other than admin, would I get the same Binding backtrace?
I have seen some traffic on the wso mailing lists in December 2012 around the binding WSO2 IS supports - am I fighting a losing battle here?
If simplesamlphp and WSO2 IS won't currently play well together, can someone from the WSO2 crowd suggest a simple method for testing SAML-2.0 against their IS?
If User can not login, it means that you have not configure login permission to that user... Please assign login permission to "everyrole" and check..
I guess one of my friend has tried the simplesamlphp integration with WSO2 Identity server, Please find blog post that he has written from there [1]. I guess this would help you.
[1] http://blog.facilelogin.com/2013/06/wso2-identity-server-saml2-idp-with.html
Related
I'm using windows, xampp and fairly new on integrating docusign. I watched this tutorial from docusign using PHP, however since the tutorial is using mac, I'm getting confused on how I will setup this tutorial on my xampp and windows and the result is I'm getting the error:
The redirect URI is not registered properly with DocuSign
Here is how I did my setup
1.) Clone the repository and place it on my xamp/htdocs/eg-something-something
2.) Rename the ugly repository name to xamp/htdocs/docusign/
3.) Run composer install to get the dependencies
4.) I configured my ds_config.php and here is my code... I removed credentials for security purposes
<?php
// ds_config.py
//
// DocuSign configuration settings
$DS_CONFIG = [
'ds_client_id' => 'xxxx', # The app's DocuSign integration key
'ds_client_secret' => 'xxx', # The app's DocuSign integration key's secret
'signer_email' => 'xxx#gmail.com',
'signer_name' => 'Michael',
'app_url' => 'http://localhost/docusign/public', // The url of the application.
// Ie, the user enters app_url in their browser to bring up the app's home page
// Eg http://localhost/eg-03-php-auth-code-grant/public if the app is installed in a
// development directory that is accessible via web server.
// NOTE => You must add a Redirect URI of app_url/index.php?page=ds_callback to your Integration Key.
'authorization_server' => 'https://account-d.docusign.com',
'session_secret' => '{SESSION_SECRET}', // Secret for encrypting session cookie content
'allow_silent_authentication' => true, // a user can be silently authenticated if they have an
// active login session on another tab of the same browser
'target_account_id' => false, // Set if you want a specific DocuSign AccountId, If false, the user's default account will be used.
'demo_doc_path' => 'demo_documents',
'doc_docx' => 'World_Wide_Corp_Battle_Plan_Trafalgar.docx',
'doc_pdf' => 'World_Wide_Corp_lorem.pdf',
// Payment gateway information is optional
'gateway_account_id' => '{DS_PAYMENT_GATEWAY_ID}',
'gateway_name' => "stripe",
'gateway_display_name' => "Stripe",
'github_example_url' => 'https://github.com/docusign/eg-03-php-auth-code-grant/tree/master/src/',
'documentation' => false
];
$GLOBALS['DS_CONFIG'] = $DS_CONFIG;
5.) I log into my admin sandbox and use this as my redirect URI
http://localhost/docusign/public/index.php?page=ds_callback
The web app is running but I am having an error of "The redirect URI is not registered properly with DocuSign" when I click the login or just by authenticating.
Thanks for helping me on this issue.
Update part:
I tried adding http:// on the configuration of the integration key on sandbox, however, I'm getting a fatal error:
Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL
error 77: error setting certificate verify locations: CAfile:
C:\xampp\apache\bin\curl-ca-bundle.crt CApath: none (see
http://curl.haxx.se/libcurl/c/libcurl-errors.html) in
C:\xampp\htdocs\docusign\vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php
on line 186
Once I tried to authenticate. Check this screenshot for the errors.
try http://localhost/docusign/public/index.php?page=ds_callback as the redirect URL.
You need the complete URL including the http:// part.
I am the SP, I can not loggedin into the SP using IDP of my client,
I got below error:
SimpleSAML_Error_Error: ACSPARAMS
Backtrace:
1 modules/saml/www/sp/saml2-acs.php:21 (require)
0 www/module.php:135 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 vendor/simplesamlphp/saml2/src/SAML2/Binding.php:99 (SAML2\Binding::getCurrentBinding)
1 modules/saml/www/sp/saml2-acs.php:16 (require)
0 www/module.php:135 (N/A)
My Configuration for authsource.php is like below:
'abc-live-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'entityID' => null,
'idp' => 'https://federation-a.parnassiagroep.nl/superbrains',
'discoURL' => null,
'NameIDPolicy' => false,
),
Is there anything i am missing?
help will be appreciated.
The exception trace is as below.
In config.php, allow HTTP POST requests. This worked for me.
'enable.http_post' => true
In addition, I restricted ACS URL binding to HTTP-POST. This may not be necessary.
'acs.Bindings' => array( 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST').
I still don't know why the ACS URL and other URLs in the metadata are coming as HTTP links, All the links in the config files are HTTPS.
Did you setup the Identity Provider in your "metadata/saml20-idp-remote.php" file?
It's been a while since I used simplesamlphp but I'm pretty sure you would need to have the Identity Provider (IdP) administrator add you as an "accepted" Service Provider (SP). This is done by sharing your metadata with them.
There is a very handy guide by UNINETT, the creators of simplesamlphp here:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp
Someone also had a similar issue:
Simplesamlphp unhandled exception error while using as SP
I have a php site (Site A) that users are logged into by clicking a link on a different site (Site B) and it works great!
Recently Site B changed their domain name. After making the correct name changes on Site A, I am getting the following error message:
OAuthException Object ( [message:protected] => making the request failed (Peer certificate cannot be authenticated with given CA certificates) [string:Exception:private] => exception 'OAuthException' with message 'making the request failed (Peer certificate cannot be authenticated with given CA certificates)'
The line that is causing this error is $oauth->fetch("$api_url");
After forwarding this error to our provider, they simply said it was not an issue on there end.
cUrl enabled: version 7.46.0
Windows Server 2008 Standard Edition Service Pack 2
php 5.6.18
We have created application in Azure active directory.Before that, I have experienced by providing same permissions in Azure directory to get access token. But I could not get it by using same application with same permissions now.
My Request is:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=my_client_id&redirect_uri=https://xxx/msd1/authorize.php&response_type=code
Response
stdClass Object
(
[error] => invalid_grant
[error_description] => AADSTS65001: The user or administrator has not consented to use the application with ID 'client_id'. Send an interactive authorization request for this user and resource.
Trace ID: 6f01144c-4dc0-4911-9923-1cf134d264f0
Correlation ID: f5765d5f-7109-48a3-89f0-2729c15551c3
Timestamp: 2016-05-20 06:09:47Z
[error_codes] => Array
(
[0] => 65001
)
[timestamp] => 2016-05-20 06:09:47Z
[trace_id] => 6f01144c-4dc0-4911-9923-1cf134d264f0
[correlation_id] => f5765d5f-7109-48a3-89f0-2729c15551c3
)
Where i went wrong? Is this permission related problem?
How to get access token for this?
Maybe the account you used to register the application is not with the administrator permission or is not in the same Office 365 subscription (tenant).
We can find the requirement:
Sign in to the Microsoft Azure management portal by using an account with administrator permission. You must use an account in the same Office 365 subscription (tenant) as you intend to register the app with. You can also access the Microsoft Azure portal through the Office 365 admin center by expanding the ADMIN item in the left navigation pane and selecting Azure AD.
Please refer to App registration for CRM Online for details.
This is happening in our local web server installed using XAMPP
Steps to reproduce the issue:
Registered the account with Janrain.com
Created the app "testapp" and configured the engage application with the
providers Yahoo!, Twitter and Linked In.
Downloaded the Janrain Engage Drupal 7 module from the Janrain website
Installed this module in my local web application.
Activated the plugin and in the Janrain Drupal settings page, I entered the following details - a) Engage Server & b) API Key
After giving these details, clicked on the "Save Configuration" button. Finally, instead of the information being saved, we get the error message
"Error message Error contacting Engage. Please verify your internet connection and try again."
I tried to look in to the code, the below line was creating the issue
$lookup = RPX::lookup($api_key, $rpx_server);
Checked the "lookup" function code and found that I was able to connect with the Engage server but some problem with the response.
In this "lookup" function, we are getting the below JSON response
stdClass Object
(
[request] => POST https:// rpxnow.com /plugin/lookup_rp HTTP/1.0
Referer: http:// localhost /testapp
User-Agent: Janrain_Engage_Drupal_Module
Proxy-Authorization: Basic
Host: rpxnow.com Content-Length: 105 [data] => "" [protocol] => HTTP/1.0 [status_message] => OK [code] => 200)
9) Found that "data" facet in the JSON response was missing
Please let me know what is the solution for this issue?
This sounds like a web server configuration issue... the drupal_http_request() function is probably failing to run. There may be any number of fixes depending on what is specifically happening. More info here: https://drupal.org/node/222454