Received message on authentication request endpoint without issuer
Tony Skalski
services to a third-party (.Net-based) app we've purchased. As SAML
newbies, we've config'd the bare bones according to the IdP quickstart
(using the userpass to keep things simple), and when we try the
third-party app, we get 'Received message on authentication request
endpoint without issuer.' from our idp. Looking at the authnrequest
(thru Firefox http headers ext) we see:
<?xml version="1.0" encoding="utf-8"?>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="cedmgmapnmngeacedhadlgmbjglddiaailcchnnl"
Version="2.0"
IssueInstant="2009-12-18T14:10:22Z"
ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect"
ProviderName="NetPartner"
AssertionConsumerServiceURL="http://ourhost/SomeApp/Logon.aspx"/>
which is obviously missing an Issuer. Is issuer required as the code
seems to suggest, or is it optional, as
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
seems to suggest (line 1489). This would be our first issue.
Digging deeper, since it seems that $issuer is the index into the
array or sp-remote metadata, we hard coded $issuer that to match the
single entry in saml20-sp-remote.php (just as a test). This returns a
404: https://ourIDP/simplesaml/example-userpass?RelayState=https://ourIDP/simplesaml/saml2/idp/SSOService.php%3FRequestID%3D_a24fd42ce38f5dccb66e2ff1a9d08d808003584a48&AuthId=_a24fd42ce38f5dccb66e2ff1a9d08d808003584a48&protocol=saml2
This seems odd as there is obviously nothing in example-userpass.
Thanks, you've done a great job as we were able to get this up and
running and do a fiar amount a debugging in a few hours.
ajs
--
Tony Skalski
Systems Administrator
St. Olaf College IIT
Olav Morken
> We are trying to configure simplesamlphp as an idp to provide SAML 2.0
> services to a third-party (.Net-based) app we've purchased. As SAML
> newbies, we've config'd the bare bones according to the IdP quickstart
> (using the userpass to keep things simple), and when we try the
> third-party app, we get 'Received message on authentication request
> endpoint without issuer.' from our idp. Looking at the authnrequest
> (thru Firefox http headers ext) we see:
>
> <?xml version="1.0" encoding="utf-8"?>
> <samlp:AuthnRequest
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> ID="cedmgmapnmngeacedhadlgmbjglddiaailcchnnl"
> Version="2.0"
> IssueInstant="2009-12-18T14:10:22Z"
> ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect"
> ProviderName="NetPartner"
> AssertionConsumerServiceURL="http://ourhost/SomeApp/Logon.aspx"/>
>
> which is obviously missing an Issuer. Is issuer required as the code
> seems to suggest, or is it optional, as
> http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
> seems to suggest (line 1489). This would be our first issue.
Issuer is required for the Web SSO profile - see line 571 of
�http://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf�.
You should also have a NameIDPolicy element with AllowCreate="true" in
the AuthnRequest. It is currently ignored in simpleSAMLphp, but that
may change in the future.
Another problem is that you specify HTTP-Redirect as the
ProtocolBinding for the authentication response. SimpleSAMLphp only
supports HTTP-POST for the authentication responses. This can be
altered by changing one line of code on the IdP, but you will hit the
limit on the maximum length of the query string in web browsers very
quickly.
> Digging deeper, since it seems that $issuer is the index into the
> array or sp-remote metadata, we hard coded $issuer that to match the
> single entry in saml20-sp-remote.php (just as a test). This returns a
> 404:
> https://ourIDP/simplesaml/example-userpass?RelayState=https://ourIDP/simplesaml/saml2/idp/SSOService.php%3FRequestID%3D_a24fd42ce38f5dccb66e2ff1a9d08d808003584a48&AuthId=_a24fd42ce38f5dccb66e2ff1a9d08d808003584a48&protocol=saml2
>
> This seems odd as there is obviously nothing in example-userpass.
Have you removed the comment-signs around the example-userpass entry
in config/authsources.php? It looks like it falls back some backwards-
compatibility code for authentication because it cannot find the entry
for example-userpass.
--
Olav Morken
Tony Skalski
> Issuer is required for the Web SSO profile
> You should also have a NameIDPolicy element with AllowCreate="true" in
> the AuthnRequest.
> Another problem is that you specify HTTP-Redirect as the
> ProtocolBinding for the authentication response
I will let our vendor know about these issues.
> This can be altered by changing one line of code on the IdP
Can you point out where this is?
> Have you removed the comment-signs around the example-userpass entry
> in config/authsources.php?
No, I had not (am learning php and SAML at the same time). It's
working now.
Thanks again.
--
ajs
Olav Morken
> > This can be altered by changing one line of code on the IdP
>
> Can you point out where this is?
Line 487 of www/saml2/idp/SSOService.php:
http://code.google.com/p/simplesamlphp/source/browse/branches/simplesamlphp-1.5/www/saml2/idp/SSOService.php#487
Changing �new SAML2_HTTPPost()� to �new SAML2_HTTPRedirect()� will make
it send all authentication responses with the HTTP-Redirect binding.
But you should be aware that the maximum URL length in Internet
Explorer is quite short, and you are likely to hit it.
> > Have you removed the comment-signs around the example-userpass entry
> > in config/authsources.php?
>
> No, I had not (am learning php and SAML at the same time). It's
> working now.
In that case, I would suggest not changing the authentication response
binding, as that is likely to break it.
--
Olav Morken