Using the same SP for multiple hostnames

162 views
Skip to first unread message

mk

unread,
Feb 7, 2012, 7:04:13 PM2/7/12
to simpleSAMLphp
I have set up simplesamlphp as an alias in my httpd.conf file for
host1.domain.com, so I am able to use the sample code in the
documentation successfully:

require_once('../../lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
print_r($attributes);

I have also set an alias in my httpd.conf file for host2.domain.com,
but when I try to use the same code as above using the different host
name, I get the following unhandled exception:

Invalid SAML2 timestamp passed to parseSAML2Time

Note that host1.domain.com and host2.domain.com are the same server,
but different IP addresses.

Is it possible to use the same simplesamlphp instance on a server for
two hostnames?

Dick Visser

unread,
Feb 8, 2012, 3:58:04 AM2/8/12
to simple...@googlegroups.com
On 8 February 2012 01:04, mk <marc...@vendusia.com> wrote:

> I have also set an alias in my httpd.conf file for host2.domain.com,
> but when I try to use the same code as above using the different host
> name, I get the following unhandled exception:
>
> Invalid SAML2 timestamp passed to parseSAML2Time

Is this the entire error?
According to the code there should also be a colon and a (incorrectly
formatted) time...


> Note that host1.domain.com and host2.domain.com are the same server,
> but different IP addresses.
>
> Is it possible to use the same simplesamlphp instance on a server for
> two hostnames?

Yes.

--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands

Olav Morken

unread,
Feb 8, 2012, 4:05:28 AM2/8/12
to simple...@googlegroups.com
On Tue, Feb 07, 2012 at 16:04:13 -0800, mk wrote:
> I have set up simplesamlphp as an alias in my httpd.conf file for
> host1.domain.com, so I am able to use the sample code in the
> documentation successfully:
>
> require_once('../../lib/_autoload.php');
> $as = new SimpleSAML_Auth_Simple('default-sp');
> $as->requireAuth();
> $attributes = $as->getAttributes();
> print_r($attributes);
>
> I have also set an alias in my httpd.conf file for host2.domain.com,
> but when I try to use the same code as above using the different host
> name, I get the following unhandled exception:
>
> Invalid SAML2 timestamp passed to parseSAML2Time

I cannot see a way that two different hostnames are going to cause this
error. My guess is that the IdP returns an error with an invalid
timestamp. (I.e. the IdP uses a valid timestamp when returning
successful responses, and an invalid timestamp when returning errors.)

I suggest examining the messages sent from the IdP to the SPs, either
by using something like the SAML tracer Firefox addon:

https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

Or by doing it manually (e.g. by disabling javascript and extracting
the response from the "post data" page).

> Note that host1.domain.com and host2.domain.com are the same server,
> but different IP addresses.
>
> Is it possible to use the same simplesamlphp instance on a server for
> two hostnames?

Yes, that should work. Note however that the two SPs must have separate
entityIDs, and that you will need to register metadata for each of them
separately.

Best regards,
Olav Morken
UNINETT / Feide

mk

unread,
Feb 8, 2012, 1:33:41 PM2/8/12
to simpleSAMLphp
> > Is it possible to use the same simplesamlphp instance on a server for
> > two hostnames?
>
> Yes, that should work. Note however that the two SPs must have separate
> entityIDs, and that you will need to register metadata for each of them
> separately.

Does that mean that I can use the same authsources.php file, but just
need to specify two SPs with the two sets of metadata? If so, how do I
specify that one is for host1.domain.com and the other is for
host2.domain.com? Is it something to do with AssertionConsumerURL?

I was able to get a further trace from the IdP, which resulted in:

"Denying invalid request with wrong AssertionConsumerServiceURL
location. AssertionConsumerServiceURL vaue must match the one
specified in partner meta data."

Although I had sent the request from host2.domain.com, it had
AssertionConsumerDefaultURL set as host1.domain.com.

Olav Morken

unread,
Feb 9, 2012, 8:03:01 AM2/9/12
to simple...@googlegroups.com
On Wed, Feb 08, 2012 at 10:33:41 -0800, mk wrote:
> > > Is it possible to use the same simplesamlphp instance on a server for
> > > two hostnames?
> >
> > Yes, that should work. Note however that the two SPs must have separate
> > entityIDs, and that you will need to register metadata for each of them
> > separately.
>
> Does that mean that I can use the same authsources.php file, but just
> need to specify two SPs with the two sets of metadata? If so, how do I
> specify that one is for host1.domain.com and the other is for
> host2.domain.com? Is it something to do with AssertionConsumerURL?

It should be enough to add two SPs in authsources.php. All URLs are
generated based on the current hostname, so there should not be any
configuration necessary.

> I was able to get a further trace from the IdP, which resulted in:
>
> "Denying invalid request with wrong AssertionConsumerServiceURL
> location. AssertionConsumerServiceURL vaue must match the one
> specified in partner meta data."
>
> Although I had sent the request from host2.domain.com, it had
> AssertionConsumerDefaultURL set as host1.domain.com.

Are you certain that this is what was the cause? The
AssertionConsumerServiceURL in the AuthnRequest message is generated
based on your current hostname. Had you added metadata on the IdP for
both SPs? In that case, was the AssertionConsumerService URLs in the
metadata you added to the IdP correct?

Reply all
Reply to author
Forward
0 new messages