IdP with g-suite
557 views
Skip to first unread message
Jake
Oct 18, 2017, 9:30:05 AM10/18/17
to SimpleSAMLphp
Hi,
I made a testing environment where I have Google g-suite account and IdP on Ubuntu 16.04 + apache/sql/simplesamlphp. Environment it's quite good shape I can for instance log in by using my sql user with demo page (https://my_domain/simplesaml -> Authentication->Test Configured authentication sources -> example-sql). However, I need help with sign-in / sing-out URLs defined in g-suite. I'm not very familiar with SAML/php so I'd be appreciate if somebody could provide simple php examples for login page and logout page.
Like here SSOServices.php and initSLO.php / logout.php
https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps
I made a testing environment where I have Google g-suite account and IdP on Ubuntu 16.04 + apache/sql/simplesamlphp. Environment it's quite good shape I can for instance log in by using my sql user with demo page (https://my_domain/simplesaml -> Authentication->Test Configured authentication sources -> example-sql). However, I need help with sign-in / sing-out URLs defined in g-suite. I'm not very familiar with SAML/php so I'd be appreciate if somebody could provide simple php examples for login page and logout page.
Like here SSOServices.php and initSLO.php / logout.php
https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps
http://dev2.andreas.feide.no/simplesaml/saml2/idp/SSOService.phphttp://dev2.andreas.feide.no/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php
br, Jake
Thijs Kinkhorst
Oct 18, 2017, 9:47:04 AM10/18/17
to simple...@googlegroups.com
Hi Jake,
If I understand your question correctly, you're asking what you need to
fill in in G-Suite for Single Sign On and Single Sign Out URL fields.
You find the values for your installation in your IdP metadata. This can
be found on your simpleSAMLphp installation, tab "Federation", under
"SAML 2.0 IdP Metadata", click "show metadata".
In this XML you can find the relevant URLs inside the
<md:SingleSignOnService> and <md:SingleLogoutService> tags.
Cheers,
Thijs
fill in in G-Suite for Single Sign On and Single Sign Out URL fields.
You find the values for your installation in your IdP metadata. This can
be found on your simpleSAMLphp installation, tab "Federation", under
"SAML 2.0 IdP Metadata", click "show metadata".
In this XML you can find the relevant URLs inside the
<md:SingleSignOnService> and <md:SingleLogoutService> tags.
Cheers,
Thijs
Jake
Oct 18, 2017, 2:42:59 PM10/18/17
to SimpleSAMLphp
If I understand your question correctly, you're asking what you need to
fill in in G-Suite for Single Sign On and Single Sign Out URL fields.
You find the values for your installation in your IdP metadata. This can
be found on your simpleSAMLphp installation, tab "Federation", under
"SAML 2.0 IdP Metadata", click "show metadata".
In this XML you can find the relevant URLs inside the
<md:SingleSignOnService> and <md:SingleLogoutService> tags.
Cheers,
Thijs
Hi,
Now I got it ! I thought I have to make those files by myself. Thanks a lot ! However, after successful authentication I'll be forwarded to AssertionConsumerService page where I got this error. Any tips !
Dubravko Voncina
Oct 19, 2017, 4:46:17 AM10/19/17
to simple...@googlegroups.com
On 18 Oct 2017, at 20:42, Jake <jtyl...@gmail.com> wrote:Hi,Now I got it ! I thought I have to make those files by myself. Thanks a lot ! However, after successful authentication I'll be forwarded to AssertionConsumerService page where I got this error. Any tips !
Hi,
Are you sure that 'simplesaml.nameidattribute' in your saml20-sp-remote.php configuration file matches the username in the G Suite application?
Regards,
Dubravko Voncina
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 98 219273, fax: +385 1 6165559
Middleware and Data Services Department
University of Zagreb, University Computing Centre, www.srce.unizg.hr
dubravko...@srce.hr, tel: +385 98 219273, fax: +385 1 6165559
Jarkko Ylinen
Oct 19, 2017, 5:39:51 AM10/19/17
to simple...@googlegroups.com
Hi,
my saml20-sp-remote.php looks like this. Yes gargepc1 is my username in G-suite
$metadata['google.com/a/garage.dyn.woima.fi'] = array(
'AssertionConsumerService' => 'https://www.google.com/a/garage.dyn.woima.fi/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'garagepc1',
'simplesaml.attributes' => FALSE,
my saml20-sp-remote.php looks like this. Yes gargepc1 is my username in G-suite
$metadata['google.com/a/garage.dyn.woima.fi'] = array(
'AssertionConsumerService' => 'https://www.google.com/a/garage.dyn.woima.fi/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'garagepc1',
'simplesaml.attributes' => FALSE,
in SAML response nameid is not correct. It seems that saml20-sp-remote.php settings does not affect anyhow to it or where does it get that information from ?
<saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/garage.dyn.woima.fi"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>_4584c1662cea63bc287439a15aeefec37d600c823c</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2017-10-19T08:52:24Z"
Recipient="https://www.google.com/a/garage.dyn.woima.fi/acs"
InResponseTo="mllmpaoegehhpaghlpaicfkfgnjckieafcoclkmk"
/>
</saml:SubjectConfirmation>
</saml:Subject>--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/MD88HcYisWc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Peter Schober
Oct 19, 2017, 5:58:43 AM10/19/17
to simple...@googlegroups.com
* Jarkko Ylinen <jtyl...@gmail.com> [2017-10-19 11:39]:
> 'simplesaml.nameidattribute' => 'garagepc1',
That should be the name of the attribute that carries the value
(e.g. 'uid'), not the literal value itself. Otherwise that IDP
couldn't be used for more than one person, could it?
> <saml:Subject>
> <saml:NameID SPNameQualifier="google.com/a/garage.dyn.woima.fi"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
Check whether fixing simplesaml.nameidattribute get's the correct
NameID/@Format to be sent.
-peter
> 'simplesaml.nameidattribute' => 'garagepc1',
That should be the name of the attribute that carries the value
(e.g. 'uid'), not the literal value itself. Otherwise that IDP
couldn't be used for more than one person, could it?
> <saml:Subject>
> <saml:NameID SPNameQualifier="google.com/a/garage.dyn.woima.fi"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameID/@Format to be sent.
-peter
Jarkko Ylinen
Oct 19, 2017, 8:11:55 AM10/19/17
to simple...@googlegroups.com
Yes, I tried that one as well and the response is same. It looks like it doesn't matter what I have in that file...:(
<saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/garage.dyn.woima.fi"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>_2b260e3b7f792052d50b0ec16a09e135ba8031fb6f</saml:NameID>br, Jarkko
Dubravko Voncina
Oct 19, 2017, 9:27:12 AM10/19/17
to simple...@googlegroups.com
On 19 Oct 2017, at 14:11, Jarkko Ylinen <jtyl...@gmail.com> wrote:Yes, I tried that one as well and the response is same. It looks like it doesn't matter what I have in that file...:(<saml:Subject> <saml:NameID SPNameQualifier="google.com/a/garage.dyn.woima.fi" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >_2b260e3b7f792052d50b0ec16a09e135ba8031fb6f</saml:NameID>
The above section of the SAML response message indicates that your IdP still provides NameID in transient format.
According to documentation for the current stable SimpleSAMLphp release:
the NameIDFormat value in your SP metadata should be:
instead of:
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
Try changing that value to see if anything will improve.
Peter Schober
Oct 19, 2017, 10:24:16 AM10/19/17
to simple...@googlegroups.com
* Dubravko Voncina <dubravko...@srce.hr> [2017-10-19 15:27]:
invalid URI in someone else's namespace. At least I would assume
people can copy/paste correctly from the requirements they're given
(here by Google).
-peter
> the NameIDFormat value in your SP metadata should be:
>
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
>
> instead of:
>
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
Thanks for catching that. I hadn't assumed the OP actually invented an
>
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
>
> instead of:
>
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
invalid URI in someone else's namespace. At least I would assume
people can copy/paste correctly from the requirements they're given
(here by Google).
-peter
Dubravko Voncina
Oct 19, 2017, 11:48:36 AM10/19/17
to simple...@googlegroups.com
https://support.google.com/a/answer/6330801?hl=en
Google actually expects NameID format value to be "urn:oasis:names:tc:SAML:2.0:nameid-format:email", even though it doesn't appear to be a valid NameID format. So there's obviously a discrepancy between information that can be found on the SimpleSAMLphp website and the information provided by Google.
On the other hand, I'm pretty sure that Google doesn't validate NameID format value. It just requires that NameID matches the G Suite username.
Jarkko Ylinen
Oct 19, 2017, 12:55:35 PM10/19/17
to simple...@googlegroups.com
Hi,
Whatever I change result is same, by the way here is authrequest send by google
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="ipepipeekeppemnadnmlcedbobghelmojpapnieb"
Version="2.0"
IssueInstant="2017-10-19T16:38:46Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="google.com"
IsPassive="false"
AssertionConsumerServiceURL="https://www.google.com/a/garage.dyn.woima.fi/acs"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com/a/garage.dyn.woima.fi</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
/>
</samlp:AuthnRequest>according to google it should be like this
<saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/yourdomain.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">us...@yourdomain.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/yourdomain.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"
</saml:SubjectConfirmation>
but this is what I got (always), but why I don't know.
<saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/garage.dyn.woima.fi" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >_f3fb1da0039187b13968ef6404db577ff8c7fbc47b</saml:NameID>
br, Jake
Peter Schober
Oct 19, 2017, 1:20:46 PM10/19/17
to simple...@googlegroups.com
* Dubravko Voncina <dubravko...@srce.hr> [2017-10-19 17:48]:
non-normative, but of course this still is nonsense from Google:
SAML Core does/did not assign such an URI and since this is within
urn:oasis (cf. RFC3121) noone else can create valid URNs in their
namespace.
Other than making up invalid URIs in someone else's namespace the
really stupid part is that Google could just as well have provided
valid URN values in their examples (even if they didn't care about the
Format, as not to force people to implement the incorrect example).
So the SimpleSAMLphp docs are at least documenting use of a Format URI
that's both technically correct and what SAML Core (section 8.3.2)
specifies for name identifiers based on the email address.
> On the other hand, I'm pretty sure that Google doesn't validate
> NameID format value. It just requires that NameID matches the G
> Suite username.
That certainly explains why they can still provide incorrect examples
in their own documentation.
That, plus the fact that likely none of their customers reported that
bug to them.
None of that explains why the OP's IDP still issues transients, of
course. I have no suggestion other than making sure the configured
source attribute exists and has a single value for the subject trying
to log in.
-peter
> Well, according to the official G Suite Administrator guide:
>
> https://support.google.com/a/answer/6330801?hl=en
>
> Google actually expects NameID format value to be
> "urn:oasis:names:tc:SAML:2.0:nameid-format:email", even though it
> doesn't appear to be a valid NameID format. So there's obviously a
> discrepancy between information that can be found on the
> SimpleSAMLphp website and the information provided by Google.
Interesting. I'd say that the "Examples" on that page are
>
> https://support.google.com/a/answer/6330801?hl=en
>
> Google actually expects NameID format value to be
> "urn:oasis:names:tc:SAML:2.0:nameid-format:email", even though it
> doesn't appear to be a valid NameID format. So there's obviously a
> discrepancy between information that can be found on the
> SimpleSAMLphp website and the information provided by Google.
non-normative, but of course this still is nonsense from Google:
SAML Core does/did not assign such an URI and since this is within
urn:oasis (cf. RFC3121) noone else can create valid URNs in their
namespace.
Other than making up invalid URIs in someone else's namespace the
really stupid part is that Google could just as well have provided
valid URN values in their examples (even if they didn't care about the
Format, as not to force people to implement the incorrect example).
So the SimpleSAMLphp docs are at least documenting use of a Format URI
that's both technically correct and what SAML Core (section 8.3.2)
specifies for name identifiers based on the email address.
> On the other hand, I'm pretty sure that Google doesn't validate
> NameID format value. It just requires that NameID matches the G
> Suite username.
in their own documentation.
That, plus the fact that likely none of their customers reported that
bug to them.
None of that explains why the OP's IDP still issues transients, of
course. I have no suggestion other than making sure the configured
source attribute exists and has a single value for the subject trying
to log in.
-peter
Jarkko Ylinen
Oct 20, 2017, 5:33:14 AM10/20/17
to simple...@googlegroups.com
Hi,
Yes, you're right. Still I don't understand why I'm not able modify configuration so that response would something else than below. ?
<saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/garage.dyn.woima.fi" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" >_f3fb1da0039187b13968ef6404db577ff8c7fbc47b</saml:NameID>
Jarkko Ylinen
Oct 20, 2017, 6:46:16 AM10/20/17
to simple...@googlegroups.com
Hi,
I can see the errors in syslog. What does "Missing uid in the attributes of the user" means ?Oct 20 13:42:57 garage simplesamlphp[3053]: 5 STAT [a1d9e73d23] User 'garagepc1' has been successfully authenticated.
Oct 20 13:42:57 garage simplesamlphp[3053]: 5 STAT [a1d9e73d23] saml20-idp-SSO-first google.com/a/garage.dyn.woima.fi https://garage.dyn.woima.fi/simplesaml/saml2/idp/metadata.php NA
Oct 20 13:42:57 garage simplesamlphp[3053]: 5 STAT [a1d9e73d23] saml20-idp-SSO google.com/a/garage.dyn.woima.fi https://garage.dyn.woima.fi/simplesaml/saml2/idp/metadata.php NA
Oct 20 13:42:57 garage simplesamlphp[3053]: 3 [a1d9e73d23] Unable to add NameID: Missing 'uid' in the attributes of the user.
Oct 20 13:42:57 garage simplesamlphp[3053]: 4 [a1d9e73d23] Falling back to transient NameID.
Peter Schober
Oct 20, 2017, 6:54:29 AM10/20/17
to simple...@googlegroups.com
* Jarkko Ylinen <jtyl...@gmail.com> [2017-10-20 12:46]:
don't read the answers they provide:
* Peter Schober <peter....@univie.ac.at> [2017-10-19 19:20]:
to use the value of the 'uid' attribute as value of the NameID. And
the account that authenticated does not have the 'uid' attribute
available.
We can't know why that's the case. Could be many reasons, e.g.
* The account does not have a 'uid' attribute
* The auth source used for authenticating does not have 'uid' available
* The attribute is not called uid but something else
* etc.
What data exactly do you want to send to Google? Since they document
(incorrectly, but nevertheless) to want email in the NameID is it your
email address that you need to send? Or your userid?
And once you know what data you want to send, where is that data
stored? Does SSP have access to the data, and via what means?
All of this is specific to your configuration (SS authsource and
network systems accessed by it), we don't know your deployment details
and you didn't provide any.
-peter
> I can see the errors in syslog. What does "Missing uid in the attributes of
> the user" means ?
It means you're asking others for help to solve your problem but you
> the user" means ?
don't read the answers they provide:
* Peter Schober <peter....@univie.ac.at> [2017-10-19 19:20]:
> None of that explains why the OP's IDP still issues transients, of
> course. I have no suggestion other than making sure the configured
> source attribute exists and has a single value for the subject trying
> to log in.
What exactly about the error message is unclear? You've configured SSP
> course. I have no suggestion other than making sure the configured
> source attribute exists and has a single value for the subject trying
> to log in.
to use the value of the 'uid' attribute as value of the NameID. And
the account that authenticated does not have the 'uid' attribute
available.
We can't know why that's the case. Could be many reasons, e.g.
* The account does not have a 'uid' attribute
* The auth source used for authenticating does not have 'uid' available
* The attribute is not called uid but something else
* etc.
What data exactly do you want to send to Google? Since they document
(incorrectly, but nevertheless) to want email in the NameID is it your
email address that you need to send? Or your userid?
And once you know what data you want to send, where is that data
stored? Does SSP have access to the data, and via what means?
All of this is specific to your configuration (SS authsource and
network systems accessed by it), we don't know your deployment details
and you didn't provide any.
-peter
Jarkko Ylinen
Oct 20, 2017, 7:18:12 AM10/20/17
to simple...@googlegroups.com
Hi,
I got it work, I changed 'simplesaml.nameidattribute' value to 'username' which refer to mySQL table structure. The goal has been achieved... I learned something :) $metadata['google.com/a/garage.dyn.woima.fi'] = array(
'AssertionConsumerService' => 'https://www.google.com/a/garage.dyn.woima.fi/acs',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'username',
'simplesaml.attributes' => FALSE,
);
'simplesaml.nameidattribute' => 'username',
'simplesaml.attributes' => FALSE,
);
Thanks for your help !
br, Jake
-peter
Peter Schober
Oct 20, 2017, 7:38:09 AM10/20/17
to simple...@googlegroups.com
* Jarkko Ylinen <jtyl...@gmail.com> [2017-10-20 13:18]:
Google doesn't pay any attention to the bogus format they document.
If the value is an email address the valid format would be:
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
as Dubravko pointed out earlier.
But since you're not actually sending an email address as the NameID
value I guess the only appropriate standard format is:
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
So set that in your NameIDFormat parameter and re-try to make sure
everything still works.
-peter
> I got it work, I changed 'simplesaml.nameidattribute' value to 'username'
> which refer to mySQL table structure. The goal has been achieved... I
> learned something :)
>
> $metadata['google.com/a/garage.dyn.woima.fi'] = array(
> 'AssertionConsumerService' => 'https://www.google.com/a/garage.dyn.woima.fi/acs',
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
> 'simplesaml.nameidattribute' => 'username',
> 'simplesaml.attributes' => FALSE,
> );
I'd also suggest setting a valid NameID format, even/especially if
> which refer to mySQL table structure. The goal has been achieved... I
> learned something :)
>
> $metadata['google.com/a/garage.dyn.woima.fi'] = array(
> 'AssertionConsumerService' => 'https://www.google.com/a/garage.dyn.woima.fi/acs',
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
> 'simplesaml.nameidattribute' => 'username',
> 'simplesaml.attributes' => FALSE,
> );
Google doesn't pay any attention to the bogus format they document.
If the value is an email address the valid format would be:
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
as Dubravko pointed out earlier.
But since you're not actually sending an email address as the NameID
value I guess the only appropriate standard format is:
'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
So set that in your NameIDFormat parameter and re-try to make sure
everything still works.
-peter
Reply all
Reply to author
Forward
0 new messages