set up IdP proxy

[Qian, Yi]

Hello,

Our institution has multiple Shibboleth IdPs, we are having a vendor SP can only set up to authenticate against one IdP. We can either congregate all the identities to a new IdP, which is very much impossible from political stand point.

Or I learned something about SimpleSamlPhp. Please bear with me and correct me at any time since I am so new to the software, I can set up SimpleSamlPhp as IdP then authenticate against our internal IdPs, but forgive my google skills, I tried for few weeks, googling and reading, but I did not find how to set up this step by step, the SimpleSamlPhp documents are too high level for me. There are too many missing parts for me to understand and to make it work. Could experts share some for dummy document on how to set up this IdP proxy?

Thanks
Yi

[Enrico Cavalli]

> Il giorno 22 nov 2016, alle ore 15:46, Qian, Yi <yq...@ku.edu> ha scritto:
>
> Hello,
>
> Our institution has multiple Shibboleth IdPs, we are having a vendor SP can only set up to authenticate against one IdP. We can either congregate all the identities to a new IdP, which is very much impossible from political stand point.
>

Hello I think that you should first set up Simplesaml to act as a SP which is able to authenticate against your shibboleth idps.
See https://simplesamlphp.org/docs/stable/simplesamlphp-sp

In particular you will add all shibboleth idps to metadata/saml20-idp-remote.php
and you will exchange your metadata with all shibboleths.

You will likely configure a discovery service which knows about those IDPs.

Next you will configure your simplesaml as an IDP that will act as a bridge:

https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures#section_2

In saml2-idp-hosted.php you will refer to the previously configured SP

'auth' => 'default-sp’,

Finally the vendor SP will only know about your simplesaml IDP.

Dealing with attributes from all the IDPs is left as an exercise to the reader …

It’s not so straightforward but I think these steps should give you a working setup.

Best regards,
Enrico.

--
Enrico Cavalli - enrico....@gmail.com
jabber: enrico....@gmail.com skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5

[Qian, Yi]

Thanks, Enrico

I had set up the SimpleSamlPhp authenticate against our test Shibboleth IdP, I suppose to set up SimpleSamlPhp IdP, my questions is where I set up this IdP, on the same SSP instance where I set up the SP already? Or a new SSP installation?

Yi

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Enrico Cavalli]

> Il giorno 28 nov 2016, alle ore 18:25, Qian, Yi <yq...@ku.edu> ha scritto:
>
>
> I had set up the SimpleSamlPhp authenticate against our test Shibboleth IdP, I suppose to set up SimpleSamlPhp IdP, my questions is where I set up this IdP, on the same SSP instance where I set up the SP already? Or a new SSP installation?
>

Yes, on the same instance.

Regards,
Enrico.

[Qian, Yi]

Hello,

I copied the saml20-idp-hosted.php from metadata-template to metadata directory, changed to use my own private key and cert. Then I went to ssp admin web console, logged in as admin, I see the SAML 2.0 IdP Metadata under Federation tab, but clicking Show metadata gave me 500 error.

Yi
-----Original Message-----
From: Qian, Yi
Sent: Monday, November 28, 2016 11:25 AM
To: simple...@googlegroups.com
Subject: RE: set up IdP proxy

Thanks, Enrico

I had set up the SimpleSamlPhp authenticate against our test Shibboleth IdP, I suppose to set up SimpleSamlPhp IdP, my questions is where I set up this IdP, on the same SSP instance where I set up the SP already? Or a new SSP installation?

Yi
-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Enrico Cavalli
Sent: Tuesday, November 22, 2016 10:37 AM
To: simple...@googlegroups.com
Subject: Re: set up IdP proxy

[Peter Schober]

* Qian, Yi <yq...@ku.edu> [2016-11-30 20:02]:

> I copied the saml20-idp-hosted.php from metadata-template to
> metadata directory, changed to use my own private key and cert. Then
> I went to ssp admin web console, logged in as admin, I see the SAML
> 2.0 IdP Metadata under Federation tab, but clicking Show metadata
> gave me 500 error.

HTTP 500 means you should find an error in your web servers' log
files.
-peter

[Dick Visser]

I suspect that the metadata file (which is PHP) contains some fatal error.

[Qian, Yi]

Thanks, Peter, I found out the error in Apache log and generated the IdP metadata.

Now I am facing problem of converting testshib SP metadata to SimpleSamlPhp metadata, it complains Exception: Unexpected root node: []: EntityDescriptor

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Peter Schober
Sent: Wednesday, November 30, 2016 1:10 PM
To: simple...@googlegroups.com
Subject: Re: set up IdP proxy

[Dick Visser]

Maybe you didn't copy the entire metadata contents? Or something went wrong with copy/pasting to the browser?

[Qian, Yi]

Same metadata on our shib qa instance works flawlessly, but I still got same parse error from SimpleSamlPhp, could some experts share another idea?

[Peter Schober]

* Qian, Yi <yq...@ku.edu> [2016-12-05 18:16]:

> Same metadata on our shib qa instance works flawlessly, but I still
> got same parse error from SimpleSamlPhp, could some experts share
> another idea?

Based on what? You get an exception when trying to load a certin
metadata document. There's nothing to go on about here.

You could supply the actual metadata here (or name its entityID, if
it's in TestShib it's public anyway) and supply the full error message
you get. You could also make sure the file validates with other
software, here are many ways to check for different things
(well-formedness, xsd schema-validity, xmldsig signature validation):
https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataCorrectness
-peter

[Qian, Yi]

Thanks Peter, I made it work

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Peter Schober
Sent: Monday, December 05, 2016 12:05 PM
To: simple...@googlegroups.com
Subject: Re: set up IdP proxy

[Peter Schober]

* Qian, Yi <yq...@ku.edu> [2016-12-06 02:53]:

> Thanks Peter, I made it work

I'm glad you did, but of course that's pretty worthless as far as
contributions to this list go. We don't know what the issue or
even the complete error message was, and we don't know how you fixed
it or what needed fixing. Anyway.
Best regards,
-peter

[Qian, Yi]

The problem is lame, after you told me to validate the metadata file, I realized I did not put namespace in the root node.

-----Original Message-----
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Peter Schober
Sent: Tuesday, December 06, 2016 7:25 AM
To: simple...@googlegroups.com
Subject: Re: set up IdP proxy

[Peter Schober]

* Qian, Yi <yq...@ku.edu> [2016-12-06 15:43]:

> after you told me to validate the metadata file, I realized I did
> not put namespace in the root node.

No problem, that happens. I regularly use some of the tools referenced
previously to catch such errors, as they invaribaly happen when
editing XML (esp when it comes from external sources).
At least SimpleSAMLphp isn't the culprit, so that's good news, too. :)
-peter