When the SimpleSAMLphp installation page has a link to test the authentication source, clicking the link for the authentication source has not been redirected to IdP

[itc...@163.com]

I am now ready to write a single login demo simulation test, use my own virtual machine to build a server, were configured with two virtual host, one is SP (www.saml.com), one is IDP (www .idp.com), I would like to use SimpleSAMLphp in both applications and connect it to an existing identity provider.

After the SP and IDP are configured according to the documentation step, after successfully obtaining the source information of SP and IDP and exchanging them, after the link to SimpleSAMLphp has a link to test the authentication source, click the link of the authentication source and not be redirected to IdP, but the error.

The error is reported as follows:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:

0 /var/simplesamlphp/www/module.php:179 (N / A)

Caused by: SimpleSAML_Error_Exception: Could not find the metadata of an IdP with entity ID 'http://www.idp.com'

Backtrace:

6 /var/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:134 (sspmod_saml_Auth_Source_SP :: getIdPMetadata)

5 /var/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:308 (sspmod_saml_Auth_Source_SP :: startSSO)

4 /var/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:390 (sspmod_saml_Auth_Source_SP :: authenticate)

3 /var/simplesamlphp/lib/SimpleSAML/Auth/Source.php:193 (SimpleSAML_Auth_Source :: initLogin)

2 /var/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:141 (SimpleSAML_Auth_Simple :: login)

1 /var/simplesamlphp/modules/core/www/authenticate.php:40 (require)

0 /var/simplesamlphp/www/module.php:136 (N / A)

 Please help me see where is wrong, thank you

[Peter Schober]

* itc...@163.com <itc...@163.com> [2017-09-29 11:35]:
> *I am now ready to write a single login demo simulation test, use my own

> virtual machine to build a server, were configured with two virtual host,
> one is SP (www.saml.com), one is IDP (www .idp.com), I would like to use
> SimpleSAMLphp in both applications and connect it to an existing identity

> provider.*

Note that's not how SAML works. If you have "an existing identity
provider" then you don't need an IDP (which stands for Identity
Provider), you only need to connect your services (SPs) to the
existing IDP.

I've already commented on the error message itself in my previous
reply to your almost identical post.
-peter

[itc...@163.com]

Thank you, I may describe the error caused you to misunderstand what I mean, I originally meant to build a SP and IDP environment test demo, build this environment to understand the interactive process, to facilitate future migration to my own user system inside, That is not the existence of the above I said the existing identity providers, the current situation is that I build SP and IDP environment, according to the documentation prompts the test steps, log on after the error, no redirect jump, you know Where is my configuration error?

[Peter Schober]

* itc...@163.com <itc...@163.com> [2017-10-10 04:52]:

I can't parse the above.

The error message you previously sent clearly stated:

> Could not find the metadata of an IdP with entity ID 'http://www.idp.com'

So that's what you need to fix.

-peter

[caoyili...@gmail.com]

I am now configuring SP and IDP, click SimpleSAMLphp the installation page to test the authentication source in the link default-sp, jump to a login page and then I use the user and password I log in to show these: Your attributes: urn: oid: 0.9.2342.19200300.100.1.1 student urn: oid: 1.3.6.1.4.1.5923.1.1.1.1

member

student

SAML Subject:

NameId _96000e5065578f4d3921aa5f975573c0b43d1ce651

Format urn: oasis: names: tc: SAML: 2.0: nameid-format: transient

Is this a success? My purpose is to build a SP and IDP demo

在 2017年9月29日星期五 UTC+8下午5:35:17，caoyili...@gmail.com写道：

[caoyili...@gmail.com]

If I now want to integrate authentication into my own application, what should I do if I need to build a separate server as an SP, my own application as an IDP? Not very clear here: https: //simplesamlphp.org/docs/stable/simplesamlphp-sp

Is the example code of the 6th step written? Do you need to create a separate document?

在 2017年9月29日星期五 UTC+8下午5:35:17，caoyili...@gmail.com写道：

I am now ready to write a single login demo simulation test, use my own virtual machine to build a server, were configured with two virtual host, one is SP (www.saml.com), one is IDP (www .idp.com), I would like to use SimpleSAMLphp in both applications and connect it to an existing identity provider.

[Juan Manuel Palacios]

Your application is the *local* SP, and it integrates with SimpleSAMLphp through an "authentication source". The latter, among other things, tells SimpleSAMLphp what *remote* "identity provider" service to use when authenticating users that are accessing your local SP.

The "quick start" process of getting that up-and-running is described here:

https://simplesamlphp.org/docs/1.14/simplesamlphp-sp

With the part that you seemed to be more interested in the most being section 6, "Integrating authentication with your own application":

https://simplesamlphp.org/docs/1.14/simplesamlphp-sp#section_6

Full references for the local SP and remote IdP components can be found here:

https://simplesamlphp.org/docs/1.14/saml:sp

https://simplesamlphp.org/docs/1.14/simplesamlphp-reference-idp-remote

And you might want to go through those after you've completed the "quick start" to better understand what you did.

Other than that, one thing I'd really recommend is paying attention to the difference between a *local* SP and a *remote* SP, and in turn between a *remote* IdP and a *local* IdP. I constantly emphasize those because it was one of my major sources of confusion when I first got started with SAML & SimpleSAMLphp, and I see a lot of people coming here sharing that.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Juan Palacios
Senior Software Architect

135 West 26th St l 12th Floor l NY, NY 10001
212.675.9234 l 646.217.3677 

Register for our upcoming webinar with The Healthy Minds Network and AUCCCD: 
Trends in Higher Education Mental Health: Research Highlights

Connect with us!
      

[Peter Schober]

* caoyili...@gmail.com <caoyili...@gmail.com> [2017-10-11 04:27]:

> I am now configuring SP and IDP, click SimpleSAMLphp the installation page
> to test the authentication source in the link default-sp, jump to a login
> page and then I use the user and password I log in to show these: Your
> attributes: urn: oid: 0.9.2342.19200300.100.1.1 student urn: oid:
> 1.3.6.1.4.1.5923.1.1.1.1
> member
> student
> SAML Subject:
> NameId _96000e5065578f4d3921aa5f975573c0b43d1ce651
> Format urn: oasis: names: tc: SAML: 2.0: nameid-format: transient
>
> Is this a success? My purpose is to build a SP and IDP demo

That's not a technical question that has a precise answer. Only you
can say whether the above is "success" (or even correct).

Personally I'd at least also enable the oid2name attribute map[1] so
the above page (and calls to SSP's PHP API for the SP) see abstracted,
simpler attribute names to work with.
-peter

[1] Add something like this to 'authproc.sp' in your config.php:
10 => array(
'class' => 'core:AttributeMap', 'oid2name',
),

[Peter Schober]

* caoyili...@gmail.com <caoyili...@gmail.com> [2017-10-11 11:12]:

> If I now want to integrate authentication into my own application,
> what should I do if I need to build a separate server as an SP, my
> own application as an IDP?

"IDP" is where people enter their credentials (commonly username and
password, possibly more). You don't want people to enter their
credentials into each service they're using because (1) it's tedious
for users (you can't get SSO), but more importantly (2) each
application then has to be fully trusted to impersonate the user to
any other service (since each application get's the literal username
and password from the user; also storing passwords securely is
rather difficult, judging from the frequency and number of passwords
that get copied/leaked/stolen/etc. from services operating with
multi-million dollar budgets).

So a service (your appliation) is a service, in SAML terms a Service
Provider. Which leaves the IDP (Identity Provider) role to that system
that securely performs authentication and asserts correct and
up-to-date data about the user to the service.
So your service becomes a SAML SP, as per the documentation.

It's easiest to build a new IDP as a separate "application" so no,
your application will not be the IDP.
It may be possible to "turn" an application "into an IDP", but it may
not be a good idea, or may be difficult. An IDP could also "re-use" an
application's database as a user store and possibly authentication
mechanism. That would not make the application "the IDP" (only its
data source, and possibly its registration or user management UI), but
it would blur the lines somewhat.

-peter

[caoyili...@gmail.com]

I now see here the first six steps (https://simplesamlphp.org/docs/1.14/simplesamlphp-sp#section_6) can not read, you can tell me here to add a few lines of code is to create a new file Or in the previous file on the basis of which to amend it? Where should the specific path be placed on the project?

在 2017年9月29日星期五 UTC+8下午5:35:17，caoyili...@gmail.com写道：

I am now ready to write a single login demo simulation test, use my own virtual machine to build a server, were configured with two virtual host, one is SP (www.saml.com), one is IDP (www .idp.com), I would like to use SimpleSAMLphp in both applications and connect it to an existing identity provider.

[Peter Schober]

* caoyili...@gmail.com <caoyili...@gmail.com> [2017-10-12 03:04]:

> I now see here the first six steps
> (https://simplesamlphp.org/docs/1.14/simplesamlphp-sp#section_6) can not
> read, you can tell me here to add a few lines of code is to create a new
> file Or in the previous file on the basis of which to amend it? Where
> should the specific path be placed on the project?

Step 6 is called "Integrating authentication with your own application".
Note "your own application". Therefore noone can tell you where you
need to add integration code, as this is your own application.
We don't know what application you're trying to integrate with and
even if we did we probably couldn't give you all the information you'd
need for the integration as the integration code is mostly about the
application's APIs, with only very few things specific to
SimpleSAMLphp.

-peter