SimpleSamlPhp SP with Ping Federate IDP : Invalid IDP for this SP
159 views
Skip to first unread message
ab
Jul 18, 2016, 5:03:20 PM7/18/16
to SimpleSAMLphp
Hi I have Ping Federate IDP with BaseURL https://example.com and Entity ID of the IDP is NBExample.
I have configured this in authsources.php as
'default-sp' => array(
'saml:SP',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => null,
'idp' => https://example.com,
Also configured this in saml20-idp-remote.php
$metadata[https://example.com] = array(
)
I can get to IDP and return to /simplesaml/module.php/saml/sp/saml2-logout.php/default-sp but I get the following error
Cannot retrieve metadata for Idp "NBExample" because it isn't a valid Idp for this SP.
However when I use NBExample as idp instead of https://example.com , I get an error Certificate Fingerprint is not valid.
I'm new to SAML so can someone please help?
Peter Schober
Jul 18, 2016, 5:40:14 PM7/18/16
to SimpleSAMLphp
* ab <alka...@gmail.com> [2016-07-18 23:03]:
> 'default-sp' => array(
> 'saml:SP',
[...]
> 'idp' => null,
You're overriding that value on the line below, so that's nonsensical.
> 'idp' => https://example.com,
And that doesn't match what you said above was the IDP's entityID.
The SSP documentation clearly states that the value of the 'idp'
paremeter is "The entity ID of the IdP this should SP should contact.":
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_3
First error you (again) have the incorrect entityID which needs to go
there. Second one is supplying an empty array to SSP, instead of the
required metadata. Why would you put an empty array there?
Short version: Don't guess, don't make up stuff. Insted ask the IDP
for SAML 2.0 Metadata (describing the IDP) and import that into your
SSP deployment, as indicated in the SSP documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_2
Then configure your SSP deployment as per the SSP documentation for
SPs, https://simplesamlphp.org/docs/stable/simplesamlphp-sp
> However when I use NBExample as idp instead of https://example.com ,
> I get an error Certificate Fingerprint is not valid.
So if you're not entering some fantasy value as the IDP name (but the
actual entityID of the IDP, like the documentation says) you don't get
an error that says the SP does not know about your fantasy IDP.
That's a start.
Next, read and follow the short and simple documentation, every
step, all the steps:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp
Then come back here and ask questions about any errors you might still
see.
-peter
> > Entity ID of the IDP is NBExample.
Then that's what you have to supply to SimpleSAMLphp:
> 'default-sp' => array(
> 'saml:SP',
> 'idp' => null,
You're overriding that value on the line below, so that's nonsensical.
> 'idp' => https://example.com,
And that doesn't match what you said above was the IDP's entityID.
The SSP documentation clearly states that the value of the 'idp'
paremeter is "The entity ID of the IdP this should SP should contact.":
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_3
First error you (again) have the incorrect entityID which needs to go
there. Second one is supplying an empty array to SSP, instead of the
required metadata. Why would you put an empty array there?
Short version: Don't guess, don't make up stuff. Insted ask the IDP
for SAML 2.0 Metadata (describing the IDP) and import that into your
SSP deployment, as indicated in the SSP documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_2
Then configure your SSP deployment as per the SSP documentation for
SPs, https://simplesamlphp.org/docs/stable/simplesamlphp-sp
> However when I use NBExample as idp instead of https://example.com ,
> I get an error Certificate Fingerprint is not valid.
actual entityID of the IDP, like the documentation says) you don't get
an error that says the SP does not know about your fantasy IDP.
That's a start.
Next, read and follow the short and simple documentation, every
step, all the steps:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp
Then come back here and ask questions about any errors you might still
see.
-peter
ab
Jul 19, 2016, 4:18:50 AM7/19/16
to SimpleSAMLphp, peter....@univie.ac.at
Hi Peter,
When I put the right EntityID , the error I am getting in invalid fingerprint of the certificate. Is this because the fingerprint has not been signed with the correct signature?
Peter Schober
Jul 19, 2016, 4:28:10 AM7/19/16
to SimpleSAMLphp
* ab <alka...@gmail.com> [2016-07-19 10:19]:
replying to anything I have suggested before is insufficient and is
*not* how you'll get others to help you fix *your* problem.
So I'd expect you to provide clear statements that you have done what
was suggested (follwing all the steps I said you should) or ask
concrete questions about it if you can't follow the instructions.
Plus I'd want clear feedback that you fixed all the errors I pointed
out were in your configuration, e.g. by showing the fixed
configuration, or explaining why you can't follow the referenced
documentation.
-peter
> When I put the right EntityID , the error I am getting in invalid
> fingerprint of the certificate.
You said as much before. Merely repeating the question but not
> fingerprint of the certificate.
replying to anything I have suggested before is insufficient and is
*not* how you'll get others to help you fix *your* problem.
So I'd expect you to provide clear statements that you have done what
was suggested (follwing all the steps I said you should) or ask
concrete questions about it if you can't follow the instructions.
Plus I'd want clear feedback that you fixed all the errors I pointed
out were in your configuration, e.g. by showing the fixed
configuration, or explaining why you can't follow the referenced
documentation.
-peter
Peter Schober
Jul 19, 2016, 4:33:45 AM7/19/16
to SimpleSAMLphp
* ab <alka...@gmail.com> [2016-07-19 10:19]:
> When I put the right EntityID , the error I am getting in invalid
> fingerprint of the certificate. Is this because the fingerprint has not
> been signed with the correct signature?
If you don't get the unkown IDP error then that means you do have
> fingerprint of the certificate. Is this because the fingerprint has not
> been signed with the correct signature?
metadata for the IDP configured, using the correct entityID value?
How exactly did you configure that?
What certificate did you configure and where?
Where did you get the fingerprint from that doesn't match? Create it
youself, if so, how exactly?
What instructions are you following in any of that?
What are the software versions involved (SimpleSAMLphp, PHP, openssl)?
-peter
Reply all
Reply to author
Forward
0 new messages