Why does SAML response not work if using a domain?
854 views
Skip to first unread message
lalalasm...@gmail.com
May 22, 2018, 6:59:44 PM5/22/18
to SimpleSAMLphp
I use moodle as app service, for its application search I use
domain but when i will do login saml idp do not respond and error appear as in
picture. and if not using domain (using IP) saml response work. why is that, or
is there a custom configuration if the application service installation uses
the domain? thankyou
Peter Schober
May 23, 2018, 7:19:13 AM5/23/18
to SimpleSAMLphp
* lalalasm...@gmail.com <lalalasm...@gmail.com> [2018-05-23 00:59]:
instead of taking photos of your screen rendering the error message
text in distorted pixels.
> and if not using domain (using IP) saml response work. why is that,
> or is there a custom configuration if the application service
> installation uses the domain?
You don't provide sufficient technical details but if I had to guess
based on "it works when I use an IP address somewhere" and "it doesn't
work then I use a domain name somewhere" it could either be a DNS
issue, or a web server misconfiguration, or a metadata issue.
From the error message it's the latter, probably. If you have IP
addresses in metadata then access will only work using the IP address
of the server. So don't do that: Metadata needs to match exactly what
someone accessing the service sees, and noone should be accessing a
service by typing in numbers and dots (or colons).
-peter
> I use moodle as app service, for its application search I use domain but
> when i will do login saml idp do not respond and error appear as in
> picture.
Please just copy and paste the literal plain text error message here,
> when i will do login saml idp do not respond and error appear as in
> picture.
instead of taking photos of your screen rendering the error message
text in distorted pixels.
> and if not using domain (using IP) saml response work. why is that,
> or is there a custom configuration if the application service
> installation uses the domain?
based on "it works when I use an IP address somewhere" and "it doesn't
work then I use a domain name somewhere" it could either be a DNS
issue, or a web server misconfiguration, or a metadata issue.
From the error message it's the latter, probably. If you have IP
addresses in metadata then access will only work using the IP address
of the server. So don't do that: Metadata needs to match exactly what
someone accessing the service sees, and noone should be accessing a
service by typing in numbers and dots (or colons).
-peter
Lala Lasmanah
May 23, 2018, 10:10:33 AM5/23/18
to simple...@googlegroups.com
Hi Peter
OK, iam sorry
This is the error message
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 1 www/_include.php:45 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: SimpleSAML_Error_Exception: URL not allowed: http://lms.example.co.id/moodle/auth/saml/index.php Backtrace: 2 lib/SimpleSAML/Utils/HTTP.php:383 (SimpleSAML\Utils\HTTP::checkURLAllowed) 1 modules/saml/www/sp/saml2-acs.php:118 (require) 0 www/module.php:135 (N/AI have domain lms.example.co.id/moodle for access the app service, on config.php part security configuration I added url 'lms.example.co.id, but I get error again when I try to login, the message error as below:
SimpleSAML_Error_Error: ACSPARAMS
Backtrace: 1 modules/saml/www/sp/saml2-acs.php:21 (require) 0 www/modules.php:135 (N/A) Caused by: Unable to find the current binding Backtrace: 2 vendor/simplesamlphp/saml2/src/SAML2/Binding.php:104 (SAML2\Binding::getCurrentBinding) 1 modules/saml/www/sp/saml2-acs.php:16 (require) 0 www/module.php:135 (N/A)For web server I use apache, I build this app moodle and SSP as SP on single server but I don't make vhost, because I think each app have a URLroot so I just setting on it. For metada what to change if using a domain,instead of adjusting metadata early in the installation?
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/UJWeTFsN1vQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Peter Schober
May 23, 2018, 10:25:05 AM5/23/18
to simple...@googlegroups.com
* Lala Lasmanah <lalalasm...@gmail.com> [2018-05-23 16:10]:
> I have domain lms.example.co.id/moodle for access the app service,
> on config.php part security configuration I added url
> 'lms.example.co.id
Where exactly did you add what, and why?
I never had a need to change any "security configuration" to get SSP
working. What is baseurl set to in your config and does that match the
base path to your SimpleSAML instance exacly?
> I get error again when I try to login, the message error as below:
>
> SimpleSAML_Error_Error: ACSPARAMS
>
> Backtrace:
> 1 modules/saml/www/sp/saml2-acs.php:21 (require)
> 0 www/modules.php:135 (N/A)
> Caused by: Unable to find the current binding
I guess that could be a metadata error, but we don't know what you're
doing and what your config looks like, yet.
> For web server I use apache, I build this app moodle and SSP as SP
> on single server but I don't make vhost
There is no reason Moodle and the SimpleSAMLphp instance protecting
Moodle should ever be on a different vhost, unless I'm not
understanding the above correctly. Or is Moodle another, separate
SAML SP?
What and where is the SAML IDP you're using to log in to this SSP
instance?
> because I think each app have a URLroot so I just setting on it.
You're talking about session cookie settings, in order to avoid
separate applications have their session cookies cross paths?
> For metada what to change if using a domain,instead of adjusting
> metadata early in the installation?
You don't say what you did "early in the installation" so it's
impossible to know whether you need to change something and what that
would be.
The metadata needs to be "correct". If the baseurl is correct for each
SSP instance then SSP will generate correct metadata about itself.
-peter
> This is the error message
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 1 www/_include.php:45 (SimpleSAML_exception_handler)
> 0 [builtin] (N/A)
> Caused by: SimpleSAML_Error_Exception: URL not allowed:
> http://lms.example.co.id/moodle/auth/saml/index.php
Before it was a different one.
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 1 www/_include.php:45 (SimpleSAML_exception_handler)
> 0 [builtin] (N/A)
> Caused by: SimpleSAML_Error_Exception: URL not allowed:
> http://lms.example.co.id/moodle/auth/saml/index.php
> I have domain lms.example.co.id/moodle for access the app service,
> on config.php part security configuration I added url
> 'lms.example.co.id
I never had a need to change any "security configuration" to get SSP
working. What is baseurl set to in your config and does that match the
base path to your SimpleSAML instance exacly?
> I get error again when I try to login, the message error as below:
>
> SimpleSAML_Error_Error: ACSPARAMS
>
> Backtrace:
> 1 modules/saml/www/sp/saml2-acs.php:21 (require)
> 0 www/modules.php:135 (N/A)
> Caused by: Unable to find the current binding
doing and what your config looks like, yet.
> For web server I use apache, I build this app moodle and SSP as SP
> on single server but I don't make vhost
Moodle should ever be on a different vhost, unless I'm not
understanding the above correctly. Or is Moodle another, separate
SAML SP?
What and where is the SAML IDP you're using to log in to this SSP
instance?
> because I think each app have a URLroot so I just setting on it.
separate applications have their session cookies cross paths?
> For metada what to change if using a domain,instead of adjusting
> metadata early in the installation?
impossible to know whether you need to change something and what that
would be.
The metadata needs to be "correct". If the baseurl is correct for each
SSP instance then SSP will generate correct metadata about itself.
-peter
Lala Lasmanah
May 24, 2018, 1:15:15 AM5/24/18
to simple...@googlegroups.com
> Where exactly did you add what, and why?
> I never had a need to change any "security configuration" to get SSP
> working. What is baseurl set to in your config and does that match the
> base path to your SimpleSAML instance exacly?
I add 'trusted url => array (' lms.example.co.id) 'in the security configuration options section, because I only follow the tutorial and the tutorial I got from error searching, and I tried to add it
I do not know, but it's not in the tutorial, I just follow and try it
> I guess that could be a metadata error, but we don't know what you're
> doing and what your config looks like, yet.
This is my metadata SP:
$metadata['http://lmssp.example.co.id/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array ( 'SingleLogoutService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'http://lmssp.example.co.id/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',This is my metadata IdP:
), ), 'AssertionConsumerService' => array ( 0 => array ( 'index' => 0, 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'http://lmssp.example.co.id/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
), 1 => array ( 'index' => 1, 'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post', 'Location' => 'http://lmssp.example.co.id/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp',
), 2 => array ( 'index' => 2, 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', 'Location' => 'http://lmssp.example.co.id/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
), 3 => array ( 'index' => 3, 'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01', 'Location' => 'http://lmssp.example.co.id/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
), ), 'contacts' => array ( 0 => array ( 'emailAddress' => 'lalale...@ymail.com', 'contactType' => 'technical', 'givenName' => 'Lala', 'surName' => 'Lasmanah', ), ), 'certData' => 'MIID7zCCAtegAwIBAgIJAPTNmDPytQMjMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJJRDETMBEGA1UECAwKSmF3YSBCYXJhdDEOMAwGA1UEBwwFQm9nb3IxDDAKBgNVBAoMA1NTTzEMMAoGA1UECwwDU1NPMRYwFAYDVQQDDA1MYWxhIExhc21hbmFoMSUwIwYJKoZIhvcNAQkBFhZsYWxhbGVzbWFuYWhAeW1haWwuY29tMB4XDTE4MDUxOTE1MDYwM1oXDTI4MDUxODE1MDYwM1owgY0xCzAJBgNVBAYTAklEMRMwEQYDVQQIDApKYXdhIEJhcmF0MQ4wDAYDVQQHDAVCb2dvcjEMMAoGA1UECgwDU1NPMQwwCgYDVQQLDANTU08xFjAUBgNVBAMMDUxhbGEgTGFzbWFuYWgxJTAjBgkqhkiG9w0BCQEWFmxhbGFsZXNtYW5haEB5bWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeJooPTc/oHlx2fvJBdSFB97UI0/JcGuZ47VOZXFHbdNVEg83HeunwqhyTcuQO5lvTFAiO3bqbu9JmY9UKqnb5lTZ+HazgngLGy7OCNUP4TGs5YT8SquTxd3K51gk/eRmy0CQCDyilIK+JphCloh+OUr5UEN9cbKFS7Q3eBV524AGBfPpBU/lARzMD51jYpTWFbXnHk+hYcfwPhr9Hv4mm3IeYPKuFBlHHJLTS2nzc9VtiZdy1VU+qS6t5sgAscGT+D/G3EEdBBUBmHsrlxeGqoT4yLUH0hT8b8SvG8kdppi/5/VwwbEcODwa3CdMsqAWoSOGThsQ4WH9RiXahzVg/AgMBAAGjUDBOMB0GA1UdDgQWBBQ1Vik13o6y4aLTEDAitp0Zo3U2zjAfBgNVHSMEGDAWgBQ1Vik13o6y4aLTEDAitp0Zo3U2zjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC035zAdj10kvOYwbnzjGBlW7bexEHnRblPw4n49sCnMCGoQEvx4vrJke1FU+/0ExjQyBbtfJ5xSZC/6PuyxqjyCDalezgIcHZT3XPhQ/jo7Jg6keoQqncQaN+JTIpdVaRqTGz85XjVVv9yIiImavwnX1XA5MtPGnXcXN07TVZg8od0t4dBYJMTo04PJcQAG8xxqI5Yy17t4Ndn3goVozicVHFgSuyVtnnVYmazl1hBhWMi32Vl3z1PW29fL6bILsXXBS/3pIBArmkaBrxOTF84poIU21I+s+x7qgJkULkjHCdJejKzzjD2zJyAChVxyIO0SDxv0jPsZpWKLDTlNSPz', );
$metadata['http://samlidp.telkom.co.id/simplesaml/saml2/idp/metadata.php'] = array ( 'metadata-set' => 'saml20-idp-remote', 'entityid' => 'http://samlidp.telkom.co.id/simplesaml/saml2/idp/metadata.php', 'SingleSignOnService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'http://samlidp.telkom.co.id/simplesaml/saml2/idp/SSOService.php', ), ), 'SingleLogoutService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'http://samlidp.telkom.co.id/simplesaml/saml2/idp/SingleLogoutService.php', ), ), 'certData' => 'MIID9TCCAt2gAwIBAgIJAOXQ1ieZLO4DMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJJRDETMBEGA1UECAwKSmF3YSBCYXJhdDERMA8GA1UEBwwIS2FyYXdhbmcxDDAKBgNVBAoMA1NTTzEMMAoGA1UECwwDU1NPMRYwFAYDVQQDDA1MYWxhIExhc21hbmFoMSUwIwYJKoZIhvcNAQkBFhZsYWxhbGVzbWFuYWhAeW1haWwuY29tMB4XDTE4MDQwNjEwMTIwN1oXDTI4MDQwNTEwMTIwN1owgZAxCzAJBgNVBAYTAklEMRMwEQYDVQQIDApKYXdhIEJhcmF0MREwDwYDVQQHDAhLYXJhd2FuZzEMMAoGA1UECgwDU1NPMQwwCgYDVQQLDANTU08xFjAUBgNVBAMMDUxhbGEgTGFzbWFuYWgxJTAjBgkqhkiG9w0BCQEWFmxhbGFsZXNtYW5haEB5bWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmumjUXiJW2rX1Vmqti488ORUF72+FS2Ui6Ii/oCllvMwPntUEE+8pj4GDIdecUHZmhW/1jwXEuzNPXjsh+MtdGS2Af/eIbvhfBpXv1nht2FkRyD7i4QKjKO6FaGv91K3Xpnyr6+YUzysZQrTrq+oWeCv50aCA/cWq6ScSCc7Lc13hUrL3Nh+G1WHvMtDe0trKWYRAri3XQe/dmu4em4cnkZkTCKii2uRTFotOduDD4DZVfKF5yvKV7Liuxojel7Zn/nO7j14wIJkUxBXUtXEIYcZxt5xllAkPNGDqyV0Z58obVg1+ZNGXTWzRF7q0hEyOJvA1+GoMr/nVcvSrQZvxAgMBAAGjUDBOMB0GA1UdDgQWBBTiOaJmPxAupqhCQfHlxGqdJuTXUDAfBgNVHSMEGDAWgBTiOaJmPxAupqhCQfHlxGqdJuTXUDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBbWVepcq1S/pO5PBqTVaA65u3MocQAMy8Fi+V9sMHAZH5cNeQ1GgU409mxOn7WuXdaHOT7G9fFLlGK74WaB8hPekQPUcA04YHR28pIb9sfe94sHGfx842j/Pa+XB1CJAG7Gjo/A75r2Ie7DxfxFbuVi6DmFjUdj18OYCDBRAubbOH4yWLMVq4uxr0z0n6YF1MMZFnuGBxfuygdXY7fiMs6i2ukEEBIkF6w8cwAXAyCOQujXHM8zdB+075c/yr+2y7z/IjMW+6vi2KA3t40eJhrzJXo2siLTGEi3b8qx1stc5lprQoTajFCJtUTY05Prh2Tx0U4j7Ka0h3A8cjrr4m8', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'contacts' => array ( 0 => array ( 'emailAddress' => 'lalale...@ymail.com', 'contactType' => 'technical', 'givenName' => 'Lala', 'surName' => 'Lasmanah', ), ), );
> There is no reason Moodle and the SimpleSAMLphp instance protecting
> Moodle should ever be on a different vhost, unless I'm not
> understanding the above correctly. Or is Moodle another, separate
SAML SP?
> What and where is the SAML IDP you're using to log in to this SSP
instance?
> Moodle should ever be on a different vhost, unless I'm not
> understanding the above correctly. Or is Moodle another, separate
SAML SP?
> What and where is the SAML IDP you're using to log in to this SSP
instance?
I build the IdP in different server
> because I think each app have a URLroot so I just setting on it.
> You're talking about session cookie settings, in order to avoid
> separate applications have their session cookies cross paths?
yes i think like that, but i do not understand about session cookies
> For metada what to change if using a domain,instead of adjusting
> metadata early in the installation?
> You don't say what you did "early in the installation" so it's
> impossible to know whether you need to change something and what that
would be.
> The metadata needs to be "correct". If the baseurl is correct for each
SSP instance then SSP will generate correct metadata about itself.
then what is the best solution I should try?
-peter
Tanveer Qazi
Apr 25, 2019, 2:04:09 PM4/25/19
to simple...@googlegroups.com
Hi,
You got the solution. I'm facing same problem.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages