I am trying to authenticate using SAML in my web app.
I followed the IdP quick start and the SP quick start user guides and came up woth the configuration below
which fails with :
Backtrace:
1 /app_path/application/lib/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /app_path/application/lib/simplesamlphp/lib/SAML2/Binding.php:81 (SAML2_Binding::getCurrentBinding)
1 /app_path/application/lib/simplesamlphp/modules/saml/lib/IdP/SAML2.php:266 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /app_path/application/lib/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
Setup :
My app runs locally with the host : trunk.sam.net
Simplesaml, SP, is included in the app as a library and accessible at : trunk.sam.net/simplesaml
Simplesaml, IdP, is installed locally and runs at : auth.sam.net
Both simplesaml are actually using the same code and configuration files (they share the same document root)
Configuration :
config.php
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
authsources.php
'default-sp-trunk.sam.net' => array(
'saml:SP',
'entityID' => 'http://trunk.sam.net',
'idp' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'ssoPortalUrl'=> 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
'bkmapping' => array(
'login' => 'uid',
'eMail' => 'mail'
)
),
'example-userpass' => array(
'exampleauth:UserPass',
'shf:pwd' => array(
'uid' => array('shf'),
'eduPersonAffiliation' => array('mail', 'shf#bk-soft.com')
),
'shl:pwd' => array(
'uid' => array('shl')
),
),
saml20-idp-hosted.php
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => '__DEFAULT__',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'example-userpass',
/*
* The interoperable SAML 2 profile specifies that attributes should be delivered using the urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat.
* We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration:
*/
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
saml20-idp-remote.php
$metadata['http://auth.sam.net/simplesaml/saml2/idp/metadata.php'] = array (
'entityid' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'contacts' =>
array (0 =>
array (
'contactType' => 'technical',
'surName' => 'Administrator',
'emailAddress' => array (0 => 'support#bluekiwi-software.com'),
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' => array (0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array ( 0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (0 => array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
),
);
saml20-sp-remote.php
$metadata['http://trunk.sam.net'] = array (
'AssertionConsumerService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp-trunk.sam.net',
'SingleLogoutService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp-trunk.sam.net',
);
Could anyone point me to what I did wrong ?
Am i missing a configuration entry / file ?
Should I use separate simplesaml installations ?
Thanks for your advice
The problem was that the SP and IdP need to be two different installations of simple saml.
I copied the source code to another folder, edited the vhost I used for the IdP (auth.sam.net) and everything worked. The configuration was OK.
What does your simpleSAML IDP authenticate against? AD?
Do you simply want your application to authenticate against the IDP repository?
Why do you need the simpleSAML SP?
Could your application authenticate directly against the simpleSAML IDP?
You normally use simpleSAML SP in something like the following:
AD <-- ADFS <-- simpleSAML SP <-- SAML application.
Related
So i need to send to an OKTA IDP a SLO request from my ServiceProvider make with SimpleSAMLphp.
I have try the logout function of SimpleSAMLphp, but they only logout on the ServiceProvider not on my IDP...
The code used :
require_once('/var/www/service_provider/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->logout();
I try to add in parameter to logout() function the SLO url of my IDP but missing some parameters in the request and no documentations on how to generate this missing parameters...
Thanks for help!
Best regards,
EDIT :
I put my authsources config:
'default-sp' => [
'saml:SP',
'entityID' => null,
'idp' => 'http://www.okta.com/ID',
'discoURL' => null,
'privatekey' => 'sp.pem',
'certificate' => 'sp.crt',
'sign.logout' => true,
'sign' => [
'logout' => true
]
],
EDIT:
The IDP metadata:
$metadata['http://www.okta.com/randomString'] = array (
'entityid' => 'http://www.okta.com/randomString',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/sso/saml',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://okta/app/okta_test_1/randomString/slo/saml',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
1 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'certValue',
),
),
);
You will need to first enable logout in the Okta app. This will require your service provider public cert since Okta wants logout requests to be signed.
Once you have enabled logout the SAML metadata for the Okta IdP changes to include the logout URLs. You will need to update the metadata you have in SSP so that SSP knows about Okta's logout url.
Lastly you need to enable signed logout messages from SSP. You do that with the 'sign.logout' => true option in your authsources.php
So finaly the bug was i'll missed to start the session in the logout script. So SimpleSAMLPHP never found the current session, like suggest Patrick in is comment the isAuthenticated was always false.
So to correct the bug i had at the start of my logout script a
session_start();
And it's works!
I have created a link from my web directory such that https://resolute.organization.in/sso points to the simplesaml directory /var/www/simplesamlphp/www
My simpleSAML configuration page:
The complete link https://resolute.organization.in/sso/module.php/saml/sp/saml2-acs.php/default-sp shows 404 Not Found while testing Authentication Sources --> default-sp.
My config.php:
$config = ['baseurlpath' => 'https://resolute.organization.in/sso/',
'secretsalt' => 'my_secret_salt',
'auth.adminpassword' => 'my_admin_pass',
];
Rest all are default values in config.php
My authsources.php:
$config = [
'admin' => [
'core:AdminPassword',
],
'default-sp' => [
'saml:SP',
'entityID' => 'https://resolute.organization.in/',
'idp' => 'https://sts.windows.net/{some-unique-key}/', //From metadata.xml for the app with entity ID in AD as *https://resolute.organization.in/*
'discoURL' => null,
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'eduPersonTargetedID',
],
]
My metadata array in saml20-idp-remote.php:
$metadata['https://sts.windows.net/{some-unique-key}/'] = array (
'entityid' => 'https://sts.windows.net/{some-unique-key}/',
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://login.microsoftonline.com/{some-unique-key}/saml2',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '{really_long_key}',
),
),
);
My Federation page:
The [show metadata] link shows 404 as well, the link in the URL bar in this case is:
https://resolute.organization.in/sso/module.php/saml/sp/metadata.php/default-sp?output=xhtml
IdP metadata link shows the metadata array properly.
Please help me out with what am I missing here as I have been breaking my head over this for a few days now.
Figured out the issue, it had something to do with Nginx server configuration that could not handle multiple php pages in one link. Switched to Apache and everything works fine.
It depends on how php handles the url parameters and occurs when using php-fpm either with NGINX or Apache mpm_worker/event.
In order to fix this, set
cgi.fix_pathinfo=1 in php.ini
When add a new app to access saml, I am facing this issue.
SSOService.php:1 GET https://saml.testing.net/www/saml2/idp/SSOService.php?spentityid=newapp&cookieTime=1459920375
net::ERR_TOO_MANY_REDIRECTS
in my local I don't facing any issue, but when I copy the codes to staging servers, then it shows ERR_TOO_MANY_REDIRECTS errors, keep redirecting, and not able to display the saml login page. The Staging servers with Load balancers, would this caused the error?
Thanks.
Update:
$config = array(
'baseurlpath' => 'https://saml.testing.net/',
'certdir' => '/etc/test/sslcerts/',
'tempdir' => '/tmp',
'datadir' => 'data/',
'auth.adminpassword' => '1234567',
'admin.protectindexpage' => TRUE,
'admin.protectmetadata' => TRUE,
'secretsalt' => 'xxxxxxxxx',
'timezone' => NULL,
// logging related options
'loggingdir' => '/var/log/simplesamlphp/',
'logging.level' => LOG_WARNING,
'logging.logfile' => 'simplesaml_' .date("Ymd") . '.log',
'debug' => true,
'showerrors' => true,
'logging.handler' => 'file',
'logging.facility' => LOG_USER,
'logging.processname' => 'simplesaml',
'debug.validatexml' => FALSE,
'enable.saml20-idp' => TRUE,
'enable.shib13-idp' => FALSE,
'enable.adfs-idp' => FALSE,
'enable.wsfed-sp' => FALSE,
'enable.authmemcookie' => TRUE,
'session.duration' => 2*(60*60),
'session.requestcache' => 4*(60*60),
'session.cookie.lifetime' => 0,
'session.cookie.path' => '/',
'session.phpsession.cookiename' => 'SimpleSAMLSessionID',
'session.cookie.name' => 'SimpleSAMLSessionID',
'session.cookie.domain' => NULL,
'session.cookie.secure' => FALSE,
'session.cookie.lifetime' => 0,
'session.datastore.timeout' => 4*(60*60),
'session.state.timeout' => (60*60),
'session.phpsession.savepath' => NULL,
'session.phpsession.httponly' => FALSE,
'session.disable_fallback' => FALSE,
'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
'session.rememberme.enable' => FALSE,
'session.rememberme.checked' => FALSE,
'session.rememberme.lifetime' => 1209600, // 14 days
'enable.http_post' => FALSE,
'language.available' => array('en'),
'language.default' => 'en',
'attributes.extradictionary' => NULL,
'theme.use' => 'oldtheme:abcdef',
'attributes.extradictionary' => NULL,
'default-wsfed-idp' => 'urn:federation:pingfederate:localhost',
'idpdisco.enableremember' => TRUE,
'idpdisco.rememberchecked' => TRUE,
'idpdisco.validate' => TRUE,
'idpdisco.extDiscoveryStorage' => NULL,
'idpdisco.layout' => 'dropdown',
'shib13.signresponse' => TRUE,
'authproc.idp' => array(
10 => "frogauth:LogHandler",
30 => 'core:LanguageAdaptor',
45 => array('class' => 'core:StatisticsWithAttribute', 'attributename' => 'realm', 'type' => 'saml20-idp-SSO'),
50 => 'core:AttributeLimit',
99 => 'core:LanguageAdaptor',
100 => "newauth:ToLogin",
101 => "newauth:VerifyLogin",
99 => 'core:LanguageAdaptor',
),
'authproc.sp' => array(
99 => 'core:LanguageAdaptor',
),
'metadata.sources' => array(
array('type' => 'flatfile'),
),
'store.type' => 'memcache',
'memcache_store.servers' => array(
array(
array('hostname' => '10.11.11.11'),
),
),
'memcache_store.expires' => 36 * (60*60),
'metadata.sign.enable' => FALSE,
'metadata.sign.privatekey' => NULL,
'metadata.sign.privatekey_pass' => NULL,
'metadata.sign.certificate' => NULL,
'proxy' => null,
'xframe_options'=> array( 'enable' => TRUE, 'trusted_sites' => array()),
'session.duration' => 2*(60*60),
'theme.use' => "newtheme:multitheme",
);
saml20-sp-remote.php
$metadata['newapp'] = array(
'AssertionConsumerService' => 'https://www.newapp.com/mobile/saml',
'SingleLogoutService' => 'https://www.newapp.com/mobile/logout',
'Theme' => 'mobile',
);
In my case the SameSite=None cookie attribute was the culprit. SameSite=None cookies must be used along with the secure attribute!
Solution:
'session.cookie.secure' => true // config.php
If your service is running behind a reverse proxy and is not running over https you additionally need to define the URL schema:
'baseurlpath' => 'https://my.url.com/<path_to_simple_saml>' // indicating the https schema (config.php)
If it helps at all, whenever this occurs in our setup it is because something has gone wrong with the cookies.
The user is not being seen as logged in at the service because the cookies aren't set correctly. Therefore they are redirected to the idp at which point they are shown as logged in and redirected back to the service; and repeat.
Basically your service thinks they aren't logged in, saml thinks they are; and they both keep passing the buck!
I've just run into a similar redirect issue. SimpleSAMLPHP would load fine but when trying to login as an admin it would go into an infinite loop loading the loginuserpass.php and as_login.php pages (redirected initially from /module.php/core/login-admin.php?ReturnTo=XXX).
After a lot of debugging I found that the problem was actually Varnish caching which was stopping the session state from being loaded. This happened no matter what session storage was selected (phpsession, memcache or sql).
Disabling varnish caching on the SimpleSAMLPHP paths fixed the issue for me.
Hope this helps anyone else with this issue.
And here is still another possible solution to try (worked for me after searching for hours, and after correcting the 'session.phpsession.savepath'): Go into the Firefox developer tools (or the browser of your choice) and in the "web storage" remove all cookies.
Close the connection when the page content ends.
In my case the culprit was a git/merge error in the session.phpsession.savepath ... fixing it solved the redirect issue
'session.phpsession.savepath' => "/path/to"
I'm using SimpleSAMLphp as an IdP for a bunch of applications we have, chiefly a Drupal site. I've used SQL as an authsource on the IdP and that works to authenticate users, the response returns to Drupal and the users are authenticated. All good !
However we also need to use social login (login with Twitter, Facebook etc). SimpleSAMLphp supports OAuth, I've set it up and the login works on the IdP with the social accounts, SimpleSAML creates the session and cookies but I'm not authenticated on the Drupal site.
What I need to do is complete the request by returning to Drupal and authenticating the user there, that is, to issue an assertion back to Drupal on success.
Just like in the SQL source, I've mapped the attributes in each of the source files (Twitter.php, Facebook.php etc) however where SQL auth returns to Drupal and creates a session, the others just display their attributes in a template.
How do I generate and send back an assertion for Drupal from these social logins so as to authenticate my users there ?
saml10-sp-remote.php (IdP)
$metadata['https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/metadata.php/sp'] = array (
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-logout.php/sp',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-logout.php/sp',
),
),
'AssertionConsumerService' =>
array (
0 =>
array (
'index' => 0,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-acs.php/sp',
),
1 =>
array (
'index' => 1,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml1-acs.php/sp',
),
2 =>
array (
'index' => 2,
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml2-acs.php/sp',
),
3 =>
array (
'index' => 3,
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => 'https://durpal_url/simplesaml_drupal_sp/module.php/saml/sp/saml1-acs.php/sp/artifact',
),
),
'certData' => 'xxxx',
);
authsources.php (IdP)
'sql' => array(
'sqlauth:SQL',
'dsn' => 'mysql:host=localhost;dbname=db',
'username' => 'user',
'password' => 'pass',
'query' => 'SELECT u.uid, u.name, u.mail, r.name AS role FROM users u JOIN users_roles ur on ur.uid = u.uid JOIN role r on r.rid = ur.rid where u.mail = :username AND pass = MD5(:password);',
),
'facebook' => array(
'authfacebook:Facebook',
'api_key' => 'xxxx',
'secret' => 'xxxx',
'req_perms' => 'email',
),
'linkedin' => array(
'authlinkedin:LinkedIn',
'key' => 'xxxx',
'secret' => 'xxxx',
),
'twitter' => array(
'authtwitter:Twitter',
'key' => 'xxxx',
'secret' => 'xxxx',
'force_login' => true,
),
saml20-idp-remote.php (SP, Drupal)
$metadata['http://idp_url/simplesaml/saml2/idp/metadata.php'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'http://idp_url/simplesaml/saml2/idp/metadata.php',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://idp_url/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://idp_url/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'certData' => 'xxx',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
saml20-idp-hosted.php (IdP)
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
'privatekey' => 'mysite.com.key',
'certificate' => 'mysite.com.crt',
'auth' => 'sql',
);
Background
Your issue is that your Identity Provider is configured to use sql auth and not twitter, linkedin, etc. The drupal site will send you to the IDP and the IDP is only knowledgable about sql. While you do have authsources configured for social, SSP lets you test and verify those independently of your IDP configuration. This is why SSP is just display the social attributes in a template, and not letting you log into drupal with them.
Option A
multiauth will let you define an authsource that includes your social and sql. You then configure your idp to use the new multiauth authsource
Option B
An IDP per social provider. We run an IDP per social provider. We have multiple IDPs (with unique entityIDs) define in saml20-idp-hosted.php - one for each social account. We do it this way because each of our SPs only wants to trust a subset of all configured social IDPs.
Each SP in this option would include the additional IDP data in saml20-idp-remote.php
Option C
Outsource. We run this sort of social to saml gateway as a SaaS product. This makes sense if you don't like running things yourself, or if you have a several SPs that all want different social providers, or to use different social api keys/secrets per SP.
I'm having troubles with a SSO implemented with SimpleSamlphp.
I have configured everything as follows:
authsources.php
'default-sp' => array(
'saml:SP',
'entityID' => '{{URLSP}}',
'idp' => '{{URLIDP}}',
'discoURL' => NULL,
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
),
authsources.php (Idp)
'example-userpass' => array(
'exampleauth:Static',
'ecid' => '152',
'orgdir' => '{{}}',
'message' => '{{}}',
),
And I set the metadata correctly in saml20-idp-remote / saml20-sp-remote
The error I'm getting is:
State information lost, and no way to restart the request.
0: xxxlib/SimpleSAML/Auth/State.php:154 (SimpleSAML_Auth_State::loadState)
1: xxx/modules/saml/www/sp/saml2-acs.php:31 (require)
2: xxx/www/module.php:137 (N/A)
I've checked the SAML response and I've seen that the signature values are different, could be that the problem?
Sorted, I had to specify the RelayState.