RequesterID not sent in AuthnRequest

[Umesh Sundaresh]

Hi,

I have setup SimpleSAMLPHP as the service provider and sending an AuthnRequest with 'IDPList' and 'ProxyCount' parameters to test 'Scoping' element. For some reason, it doesn't send the 'RequesterID' in the AuthnRequest. Does anyone know how make this work? 

Do I have to explicitly specify 'RequesterID' also in 'authsources.php' file?

Here's the snippet of authsources.php.

                'ProxyCount' => 1,

                'IDPList' => array(

                  'ha-login.xxx.yyy.com',

                ),

Thanks,

Umesh

[Jaime Perez Crespo]

Hi Umesh,

On 12 Aug 2016, at 19:57 PM, Umesh Sundaresh <umesh.su...@gmail.com> wrote:
> I have setup SimpleSAMLPHP as the service provider and sending an AuthnRequest with 'IDPList' and 'ProxyCount' parameters to test 'Scoping' element. For some reason, it doesn't send the 'RequesterID' in the AuthnRequest. Does anyone know how make this work?

You don’t have to. The RequesterID is intended for proxies, used to convey the original service provider(s) asking for authentication. So if you are a Service Provider yourself, you don’t have to send that attribute. If you are acting as a proxy, SimpleSAMLphp will automatically take care of that for you.

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
PGP: 9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Umesh Sundaresh]

Hi Jaime,

Thanks for the reply.

I am quite new to SimpleSAML. All I know is SimpleSAMLphp is my Service Provider. So, can I make SimpleSAMLphp as both Service Provider and Proxy to check if it sends 'RequesterID' in the request? If so, how do I configure it?

SimpleSAMLphp doesn't have any documentation showing configuration examples of Scoping and RequesterID attributes.

Thanks,
Umesh

[Jaime Perez Crespo]

Hi!

On 15 Aug 2016, at 18:25 PM, Umesh Sundaresh <umesh.su...@gmail.com> wrote:
> Hi Jaime,
>
> Thanks for the reply.
>
> I am quite new to SimpleSAML. All I know is SimpleSAMLphp is my Service Provider. So, can I make SimpleSAMLphp as both Service Provider and Proxy to check if it sends 'RequesterID' in the request? If so, how do I configure it?

No, that’s not what I said. I said RequesterID will be handled by SSP in proxy mode, not that you should configure it like that if you are a Service Provider.

> SimpleSAMLphp doesn't have any documentation showing configuration examples of Scoping and RequesterID attributes.

Because there’s no way for you to set the RequesterID. Actually, you should NOT set the RequesterID, first, because an SP is not supposed to do that, and second, because in case you were running a proxy, that RequesterID should be set to the entity ID of the SP asking for authentication, not to something that you control.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com

[Umesh Sundaresh]

Hi Jaime,

I am not able to find any document on the net to setup SimplSAML IDP Proxy. Do you have any reference to documentation or is there any work around to set this up?

Thanks,

Umesh

[Jaime Perez Crespo]

Hi Umesh,

On 26 Aug 2016, at 01:30 AM, Umesh Sundaresh <umesh.su...@gmail.com> wrote:
> Hi Jaime,
>

> I am not able to find any document on the net to setup SimplSAML IDP Proxy. Do you have any reference to documentation or is there any work around to set this up?

That’s because proxy mode is not officially supported yet.

In any case, why is that obsession with setting the RequesterID? If you are a Service Provider, and you are not supposed to do that!