Setting up a test environment

285 views
Skip to first unread message

zacherypd

unread,
Apr 1, 2015, 4:12:24 PM4/1/15
to simple...@googlegroups.com
I have been working on configuring a VM for my own education and I've nearly worked out the kinks, but I seem to have pushed myself far beyond my current understanding.

I have two domains set up locally:

These exist on the same machine and correctly respond.  Both have an alias /simplesaml which redirects to simplesamlphp as the tutorials suggest.  I have configured my AuthSou

$config = array(

        'wordpress' => array(

                'sqlauth:SQL',

                'dsn' => 'mysql:host=localhost;dbname=scotchbox',

                'username' => 'root',

                'password' => 'root',

                'query' => 'SELECT * from wp_users where user_pass = :password AND user_login = :username'

        ),

        'default-sp' => array(

                'saml:SP',

                'entityid' => 'www.example.sp.org',


        ),


        'example-userpass' => array(

                'exampleauth:UserPass',


                // Give the user an option to save their username for future login attempts

                // And when enabled, what should the default be, to save the username or not

                //'remember.username.enabled' => FALSE,

                //'remember.username.checked' => FALSE,


                'student:studentpass' => array(

                        'uid' => array('test'),

                        'eduPersonAffiliation' => array('member', 'student'),

                ),

                'employee:employeepass' => array(

                    'uid' => array('employee'),

                    'eduPersonAffiliation' => array('member', 'employee'),

                ),

        ),


);


So I have three set up, one of which is the example "userpass".

I also have my metadata configs:
saml-20-idp-hosted.php

$metadata['__DYNAMIC:1__'] = array(

        'host' => 'http://www.example.idp.org',


        'privatekey' => 'server.pem',

        'certificate' => 'server.crt',


        'auth' => 'example-userpass',

);

$metadata['__DYNAMIC:1__'] = array(

        /*

         * The hostname of the server (VHOST) that will use this SAML entity.

         *

         * Can be '__DEFAULT__', to use this entry by default.

         */

        'host' => '__DEFAULT__',


        /* X.509 key and certificate. Relative to the cert directory. */

        'privatekey' => 'server.pem',

        'certificate' => 'server.crt',


        /*

         * Authentication source to use. Must be one that is configured in

         * 'config/authsources.php'.

         */

        'auth' => 'example-userpass',

);


In this I have configured a new dip to listen on example.idp.org.  For now I have this using example-userpass as it's auth method which is fine.  Eventually I'm going to get it working with my "wordpress" auth method, but one step at a time.  

saml-20-idp-remote.php:

$metadata['https://openidp.feide.no'] = array(

        'name' => array(

                'en' => 'Feide OpenIdP - guest users',

                'no' => 'Feide Gjestebrukere',

        ),

        'description'          => 'Here you can login with your account on Feide RnD OpenID. If you do not already have an account on this identity provider, you can create a new one by following the create new account link and follow the instructions.',


        'SingleSignOnService=> 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',

        'SingleLogoutService=> 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php',

        'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'

);


$metadata['http://www.example.idp.org/simplesaml'] = array(

        'name' => array (

                'en' => 'My test IDP',

                'no' => 'My test IDP',

        ),

        'description'           => 'This is a test endpoint',

        

        'SingleSignOnService'   => 'http://www.example.idp.org/simplesaml/saml2/idp/SSOService.php',

        'SingleLogoutService'   => 'http://www.example.idp.org/simplesaml/saml2/idp/SingleLogoutService.php',   

);


So this configures a new remote idp called "My test IDP" which has very little info configured except it's SingleSignOnService and SingleLogoutService attributes.

saml20-sp-remote.php

And here i configure the "return address" (to use a term other than SingleLogoutService) that my IDP will use to return messages to my SP.  

With all that, I have used the bundled tester to test my AuthSources, and I have been unable to get "sp-default" working!  When I try to use it to authenticate against "My Test IDP" I get

"Unable to locate metadata for 'http://www.example.sp.org/simplesaml/module.php/saml/sp/metadata.php/default-sp'
This is most likely a configuration problem on either the service provider or identity provider."  

It almost seems like my saml20-sp-remote.php isn't being respected, but the fact that it uses that very specific url in the error makes me wonder if the value is just wrong.  To test this, I pulled up: http://www.example.sp.org/simplesaml/module.php/core/frontpage_federation.php and that looks normal (It's actually where I pulled the urls out of originally.)  By all accounts, this looks correct to me, can anyone offer any feedback?  Of course, I'm happy to gather any new information to help diagnose.  

zacherypd

unread,
Apr 1, 2015, 4:14:49 PM4/1/15
to simple...@googlegroups.com
I am immensely sorry for the garbage formatting.  I didn't expect the line-breaks to do that.  
...

Jaime Perez Crespo

unread,
Apr 10, 2015, 4:24:33 AM4/10/15
to simple...@googlegroups.com
Hi,

> On 01 Apr 2015, at 22:12 pm, ZacheryPD <zach...@gmail.com> wrote:
> I have two domains set up locally:
> example.sp.org/
> example.idp.org/
>
> These exist on the same machine and correctly respond. Both have an alias /simplesaml which redirects to simplesamlphp as the tutorials suggest. I have configured my AuthSou

I’m assuming here that you have either two different instances of SimpleSAMLphp, or that you have configured SSP to change its base URL to the right domain, on a per-request basis. If not, you should do that first.

> I also have my metadata configs:
> saml-20-idp-hosted.php
> $metadata['__DYNAMIC:1__'] = array(
> 'host' => 'http://www.example.idp.org',
>
> 'privatekey' => 'server.pem',
> 'certificate' => 'server.crt',
>
> 'auth' => 'example-userpass',
> );
> $metadata['__DYNAMIC:1__'] = array(

This is wrong. You have two definitions for the hosted IdP, almost identical. This second one is overriding the first one. There’s no magic in that “__DYNAMIC:1__” string, it’s just a key pointing to an element in the $metadata array, and setting it twice means the last one prevails. So here you are basically removing the “host” configuration option from your IdP metadata.

> saml-20-idp-remote.php:
> $metadata['http://www.example.idp.org/simplesaml'] = array(

This one is wrong too. You IdP does not have "http://www.example.idp.org/simplesaml” as entity ID. The index in the array must be the entity ID of the remote party. Otherwise, SimpleSAMLphp won’t find metadata for it.

> saml20-sp-remote.php
> $metadata['http://www.example.sp.org'] = array(
> 'AssertionConsumerService' => 'http://www.service.sp.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
> 'SingleLogoutService' => 'http://www.service.sp.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp'
> );

And finally this is the source of the error you get. SimpleSAMLphp receives a SAML request from an entity with entity ID “http://www.example.sp.org/simplesaml/module.php/saml/sp/metadata.php/default-sp”, but you don’t have that defined. Instead, you defined an entity with entity ID "http://www.example.sp.org”. Obviously that’s not the same, and hence the error, which I think is pretty clear:

> "Unable to locate metadata for 'http://www.example.sp.org/simplesaml/module.php/saml/sp/metadata.php/default-sp'

> It almost seems like my saml20-sp-remote.php isn't being respected, but the fact that it uses that very specific url in the error makes me wonder if the value is just wrong. To test this, I pulled up: http://www.example.sp.org/simplesaml/module.php/core/frontpage_federation.php and that looks normal (It's actually where I pulled the urls out of originally.) By all accounts, this looks correct to me, can anyone offer any feedback? Of course, I'm happy to gather any new information to help diagnose.

You need to fix your metadata configuration both at the SP and the IdP. My recommendation is to dump the PHP arrays you get when fetching metadata for both, directly into each other’s metadata files, instead of configuring yourself manually.

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

signature.asc

Lee Crampton

unread,
Apr 14, 2015, 10:29:36 AM4/14/15
to simple...@googlegroups.com
I have installed and configured simplesamlphp on the same VPS (so far so good).
Using the web interface to test the admin login - OK
Using the web interface to test the example-userpass login - OK
Using the web interface to test the default-sp - NOT OK

Caused by: SimpleSAML_Error_Exception: Could not find the metadata of an IdP with entity ID 'http://labs.softdev.co.uk/simplesaml/saml2/idp/metadata.php'
Backtrace:
2 /var/simplesaml/modules/saml/lib/Auth/Source/SP.php:134 (sspmod_saml_Auth_Source_SP::getIdPMetadata)
1 /var/simplesaml/modules/saml/www/sp/saml2-acs.php:74 (require)
0 /var/simplesaml/www/module.php:134 (N/A)

The URL is: 


Now my newbie questions are:
a) is that a straightforward beginner's error that is easy to solve?
b) do I need separate instances/configuration for using an idp and sp on the same host?
c) if I need two separate configurations, what is the simplest way in which to achieve that without a wholesale copy of the complete simplesamlphp installation?

Many thanks in advance

Lee

ZacheryPD

unread,
Apr 14, 2015, 11:10:02 AM4/14/15
to simple...@googlegroups.com
Can you share your saml20-idp-* metadata/ files?  The problem is most likely having the incorrect entity-id.  
--
Zachery DeLong,
Account Executive / Software Developer. edelman.com
Founder of the Marshall-U Gaming Club: Facebook.com/MUGaming.
Twitter.com/TheGrisk

Lee Crampton

unread,
Apr 14, 2015, 12:19:11 PM4/14/15
to simple...@googlegroups.com
Sure thanks.
They are 'out of the box' from the installation with the following changes (can't attach files so I'll paste the full contents after the changes I've made below)

metadata/saml20-idp-hosted.php

'privatekey' => 'labs.softdev.co.uk.pem',

'certificate' => 'labs.softdev.co.uk.crt',

metadata/saml20-idp-remote.php

$metadata['http://labs.softdev.co.uk'] = array(

'name' => array(

'en' => 'LABS OpenIdP - guest users',

),

'description' => 'Test idp for SAML.',
'SingleSignOnService' => 'http://labs.softdev.co.uk/simplesaml/saml2/idp/SSOService.php',
 'SingleLogoutService' => 'http://labs.softdev.co.uk/simplesaml/saml2/idp/SingleLogoutService.php',
 'certFingerprint' => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'

);

-- Now the complete files (comments snipped to make it easier to read here)

metadata/saml20-idp-hosted.php


$metadata['__DYNAMIC:1__'] = array(
        /*
         * The hostname of the server (VHOST) that will use this SAML entity.
         *
         * Can be '__DEFAULT__', to use this entry by default.
         */
        'host' => '__DEFAULT__',

        'privatekey' => 'labs.softdev.co.uk.pem',

        'certificate' => 'labs.softdev.co.uk.crt',

        'auth' => 'example-userpass',


        'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
        'authproc' => array(
                // Convert LDAP names to oids.
                100 => array('class' => 'core:AttributeMap', 'name2oid'),
        ),
--------------------------

metadata/saml20-idp-remote.php


$metadata['http://labs.softdev.co.uk'] = array(
        'name' => array(
                'en' => 'LABS OpenIdP - guest users',
        ),
        'description'          => 'Test idp for SAML.',

        'SingleSignOnService'  => 'http://labs.softdev.co.uk/simplesaml/saml2/idp/SSOService.php',
        //'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
        'certFingerprint'      => 'unknown'
);

----------------------------------------

Cheers

L
ee



DeLong Zachery

unread,
Apr 14, 2015, 2:48:09 PM4/14/15
to simple...@googlegroups.com
I believe:

$metadata['http://labs.softdev.co.uk'] = array(


Check the federation tab of /simplesaml/ and look for the metadata for your idp+sp.  Make sure they both line up!  

Lee Crampton

unread,
Apr 14, 2015, 4:50:24 PM4/14/15
to simple...@googlegroups.com
Excellent my good man :)
I also needed to change the certFingerprint but I had anticipated that once the error was resolved.

I really appreciate your help and rapid responses Zachery.

I should now be able to look at a simple php integration with my own web app :)

Many thanks

L
ee

DeLong Zachery

unread,
Apr 14, 2015, 5:18:46 PM4/14/15
to simple...@googlegroups.com
No problem at all!  I’ve actually been considering trying to get write privileges to the wiki so I could write  a tutorial specifically for how to configure an instance similar to what you’ve set up.  I had to do one myself recently to learn SAML for a SalesForce integration and it took forever to get spun up because I didn’t know anything about SAML when I started three weeks ago.  I think such a tutorial would be incredibly helpful to newer devs, but we’ll see.  

Lee Crampton

unread,
Apr 20, 2015, 9:19:52 AM4/20/15
to simple...@googlegroups.com
Bummer. I came back to my simplesaml this morning and experimented with just one file (config/authsources.php) and appear to have broken it.
I can't for the life of me see how the error I am getting ties in with the file as it stands.

The error is:

This is most likely a configuration problem on either the service provider or identity provider.

Here is my file together with the diff against the original.
------------------------
$config = array(

    // This is a authentication source which handles admin authentication.
    'admin' => array(
        // The default is to use core:AdminPassword, but it can be replaced with
        // any authentication source.

        'core:AdminPassword',
    ),


    // An authentication source which can authenticate against both SAML 2.0
    // and Shibboleth 1.3 IdPs.
    'default-sp' => array(
        'saml:SP',
        'privatekey' => 'labs.softdev.co.uk.pem',
        'certificate' => 'labs.softdev.co.uk.crt',

        // The entity ID of this SP.
        // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
        'entityID' => NULL,

        // The entity ID of the IdP this should SP should contact.
        // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
        'idp' => NULL,

        // The URL to the discovery service.
        // Can be NULL/unset, in which case a builtin discovery service will be used.
        'discoURL' => null,
        //'discoURL' => 'http://labs.softdev.co.uk/simplesaml',

// tons of commented code omitted here

   'example-userpass' => array(
        'exampleauth:UserPass',

        // Give the user an option to save their username for future login attempts
        // And when enabled, what should the default be, to save the username or not
        //'remember.username.enabled' => FALSE,
        //'remember.username.checked' => FALSE,

        'student:studentpass' => array(
            'uid' => array('student'),
            'eduPersonAffiliation' => array('member', 'student'),
        ),
        'employee:employeepass' => array(
            'uid' => array('employee'),
            'eduPersonAffiliation' => array('member', 'employee'),
        ),
    ),
// snipped comments
------------------------

(labs.softdev)root@172469:/var/simplesaml# diff config/authsources.php config/ORIG/authsources.php
18,19d17
<       'privatekey' => 'labs.softdev.co.uk.pem',
<       'certificate' => 'labs.softdev.co.uk.crt',
23c21
<         'entityID' => NULL,
---
>         'entityID' => null,
27c25
<         'idp' => NULL,
---
>         'idp' => null,
87a86
>     /*
97c96
<             'uid' => array('student'),
---
>             'uid' => array('test'),
105d103
<     /*
(labs.softdev)root@172469:/var/simplesaml#

Grr.

L
ee

DeLong Zachery

unread,
Apr 20, 2015, 9:56:39 AM4/20/15
to simple...@googlegroups.com
I believe that

// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => NULL,

must be set for an IDP to respond to an SP. If you want to use the internal tester, I do not believe this needs to be set, but in an environment where you are testing against an actual SP, this needs to be set.

Lee Crampton

unread,
Apr 20, 2015, 12:46:46 PM4/20/15
to simple...@googlegroups.com
Now normally I am very thorough with any development in that everything gets deposited in my git repo and all source is backed up to several places.
In this particular case I deviated slightly from my practice as I was working on a remote scratch VPS which wasn't backed up or git controlled.
What I should have done though after my initial investigations was to copy at least the modified files and added them to git.

Now back to the actual problem. I'm not sure how I had it working last week but it boils down to a single line that determines whether it works or whether it errors.
I don't actually understand it (and I must have had the file without that line last week as it was working). I'd like to know why the line being in place causes the error.
The original line in question together with the original comments is:

   // The URL to the discovery service.
   // Can be NULL/unset, in which case a builtin discovery service will be used.
   'discoURL' => null,

L
ee

DeLong Zachery

unread,
Apr 20, 2015, 12:49:56 PM4/20/15
to simple...@googlegroups.com
Happens to the best of us!  Thanks for sharing your solution!
Reply all
Reply to author
Forward
0 new messages