ssp --unable to process saml resp
36 views
Skip to first unread message
JC
May 1, 2016, 8:40:23 AM5/1/16
to SimpleSAMLphp
Appreciate it very much if any one can shed some light on this. Much appreciated!
Have an ssp wp plugin. Once user is authenticated at an external IDP, and the saml authen resp is posted back,
it fails to recognize the user or nameid
Here are the debug statements
Have an ssp wp plugin. Once user is authenticated at an external IDP, and the saml authen resp is posted back,
it fails to recognize the user or nameid
Here are the debug statements
Received SAML2 Response from idp-site-url
Has 1 candidate keys for validation.
Validation with key #0 succeeded. Has 1 candidate keys for validation. Validation with key #0 failed without exception. Filter config for idp-sp sites here array ( 0 => sspmod_saml_Auth_Process_NameIDAttribute::__set_state(array( 'attribute' => 'nameid', 'format' => array ( 0 => '', 1 => 'Value', 2 => false, ), 'priority' => 77, )),) Deleting state: '_3fe4e8d09edc2d83279aa1eff454cb8cfc1104161c'
and here is the actual saml response recieved by ssp-sp
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ssp-sp-site.com/wp-content/plugins/sso-plugin/saml/www/module.php/saml/sp/saml2-acs.php/1" ID="_c9f0367ef60b15ad3931657d7e8eee47" InResponseTo="_3fe4e8d09edc2d83279aa1eff454cb8cfc1104161c" IssueInstant="2016-05-01T12:12:15.709Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://shib-idp-site.com/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_c9f0367ef60b15ad3931657d7e8eee47">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>7dpZor2qtxfpp/fyh8880qBE6rVQFd6Ar91vye6CHds=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>signature_value_here_removed_for_brevity=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>Cert_removed_for_brevity</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0e481ad534c7abe8b67cdeafe08876f1" IssueInstant="2016-05-01T12:12:15.709Z" Version="2.0">
<saml2:Issuer>http://shib-idp-site.com/idp/shibboleth</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="http://shib-idp-site.com/idp/shibboleth" SPNameQualifier="http://ssp-sp-site.com">use...@user-acc-site.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="User_IP_Address_replaced" InResponseTo="_3fe4e8d09edc2d83279aa1eff454cb8cfc1104161c" NotOnOrAfter="2016-05-01T12:17:15.716Z" Recipient="http://ssp-sp-site.com/wp-content/plugins/saml-20-single-sign-on/saml/www/module.php/saml/sp/saml2-acs.php/1"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-05-01T12:12:15.709Z" NotOnOrAfter="2016-05-01T12:17:15.709Z">
<saml2:AudienceRestriction>
<saml2:Audience>http://ssp-sp-site.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2016-05-01T12:12:15.703Z" SessionIndex="_9ef829f98bfd2d121466f870ee2cacb9">
<saml2:SubjectLocality Address="clinet_ip_address_here"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Peter Schober
May 1, 2016, 1:07:57 PM5/1/16
to SimpleSAMLphp
* JC <jc.ab...@gmail.com> [2016-05-01 14:40]:
something is not really a topic for this list). So try logging in
through the SimpleSAMLphp SP's admin UI first, or using a URL like
/path/to/ssp/module.php/core/authenticate.php
Does that work? What attributes are available? Is the NameID available
as attribute (as per the filter being used)?
Note that just sending the expected identifier in a SAML Attribute is
probably easier for both the IDP and easier for the SP to pull out.
From the format actually used (not the format specified, which is
"unspecified") the eduPersonPrincipalName attribute seems to be a good
fit.
-peter
> Have an ssp wp plugin. Once user is authenticated at an external IDP, and
> the saml authen resp is posted back,
> it fails to recognize the user or nameid
That's not a technical error message (and WordPress not recognizing
> the saml authen resp is posted back,
> it fails to recognize the user or nameid
something is not really a topic for this list). So try logging in
through the SimpleSAMLphp SP's admin UI first, or using a URL like
/path/to/ssp/module.php/core/authenticate.php
Does that work? What attributes are available? Is the NameID available
as attribute (as per the filter being used)?
Note that just sending the expected identifier in a SAML Attribute is
probably easier for both the IDP and easier for the SP to pull out.
From the format actually used (not the format specified, which is
"unspecified") the eduPersonPrincipalName attribute seems to be a good
fit.
-peter
Reply all
Reply to author
Forward
0 new messages