Joomla and SimpleSAMLphp integration

[Roland Dalmulder]

What are you trying to do?

Apologies if this is going to be a duplicate post but Google Groups told me it is taking too long to process my post and to try again :-|

I am trying to build an extension for Joomla so users can login using SAML on a Joomla website. The goal is to donate this to the Joomla core for everyone to enjoy.

If you have read the documentation and used the search box on the web page to find what you are looking for, but you can't seem to find out how to do something in particular, ask it here by describing what you want to achieve.

What have you done?

I have setup SimpleSAMLphp and I can connect to the idp and after logging into the idp I am returned to the SimpleSAMLphp control panel and shown my username. The same I want to achieve from a Joomla installation.

I have written the login plugin and I am being redirected to the SimpleSAMLphp control panel where I have to choose and idp. I select and idp and the page refreshes and I select it again only then I am taken to the idp login page. I login and am redirected back to the SimpleSAMLphp control panel with the error:

Exception: The POST data we should restore was lost.

The XML from the idp has been imported using the metarefresh.php file in case that is important.

Is there anything wrong?
This is the trace I get:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /x/public_html/saml/libraries/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: The POST data we should restore was lost.
Backtrace:
1 /x/public_html/saml/libraries/simplesamlphp/modules/core/www/postredirect.php:38 (require)
0 /x/public_html/saml/libraries/simplesamlphp/www/module.php:137 (N/A)

Is there anything you don't understand?

I believe I understand how it is supposed to work :)

Here is the code I use to authenticate the user:

$auth_source = 'default-sp';
$instance         = new SimpleSAML_Auth_Simple($auth_source);
$instance->requireAuth();

That seems fine because I am taken to SimpleSAMLphp.

What I don't understand is how I can pass in a default idp. Setting a fixed entityID in the authsources.php doesn't seem to do anything either as I get back to the page to select an idp.

In a nutshell it works directly from SimpleSAMLphp but not when I want to do it from Joomla. I have profound knowledge of Joomla as a core-member but this seems to bite me.

In addition I am looking for people who want to help out to get this off the ground :)

Thank you all for your help.

[Peter Schober]

* Roland Dalmulder <rdalm...@gmail.com> [2017-08-22 21:26]:

> Caused by: Exception: The POST data we should restore was lost.

Backtrace:
0 /x/public_html/saml/libraries/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: The POST data we should restore was lost.
Backtrace:
1 /x/public_html/saml/libraries/simplesamlphp/modules/core/www/postredirect.php:38 (require)
0 /x/public_html/saml/libraries/simplesamlphp/www/module.php:137 (N/A)

Why would you need postredirect? That's meant as a workaround for SAML
SPs where the SP webserver doesn't use HTTPS. But why bother with SAML
at all if the SP has no security for sessions, cookies, etc.?

So that's the thing I'd concentrate on -- why does SSP think it needs
to "restore the HTTP POST"? The nonpathological case would be the
subject's HTTP User Agent sending HTTP GET and POST requests to the SP
and IDP as specified in the SAML spec, and the SP would consume and
process the HTTP POST (I'm assuming from a SAML Response) directly,
with no redirects (HTTP GET/30x) and no "restore" of the payload
needed.

You could spend time on why the POST couldn't be restored, but I'd
rather make sure that's never needed.
-peter

[Roland Dalmulder]

Hello Peter,

Thank you for your input.

> Why would you need postredirect?

Honestly don't know. I am not doing this on purpose but I will check where it comes from.

> That's meant as a workaround for SAML SPs where the SP webserver doesn't use HTTPS.

That is good to know. Everything is HTTPS in my case so we really don't need the postredirect.

> You could spend time on why the POST couldn't be restored, but I'd rather make sure that's never needed.

Yes, I will look into that and post my findings.

Thank you.

[Roland Dalmulder]

Hello Peter,

You're hints were very useful. Thank you. I also found out that there was a newer version available of simpleSAMLphp so updated that as well. All seems to be going as needed as in I get to the IDP, login is OK and I am redirected back to my site. On my site I get redirected back to the URL:

https://saml.rolandd.com/libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp

This page is further blank and has no body. The code I am using is:

$instance    = new SimpleSAML_Auth_Simple('default-sp');
$instance->requireAuth();
echo 'hello'; exit();

It never reaches the echo after the requireAuth(). So I wonder if there is a setting I missed somewhere. The same happens when I try to test the IDP with the control panel of simpleSAMLphp.

Hope you can give me a kick in the right direction. Thank you.

On Friday, August 25, 2017 at 5:08:25 PM UTC+2, Peter Schober wrote:

[Jaime Perez Crespo]

Hi Roland,

On 27 Aug 2017, at 00:56 AM, Roland Dalmulder <rdalm...@gmail.com> wrote:
> Hello Peter,
>
> You're hints were very useful. Thank you. I also found out that there was a newer version available of simpleSAMLphp so updated that as well. All seems to be going as needed as in I get to the IDP, login is OK and I am redirected back to my site. On my site I get redirected back to the URL:
>
> https://saml.rolandd.com/libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp
>
> This page is further blank and has no body.

A blank page usually means a PHP fatal error. Take a look at the error log on the server that produces that blank page. Also, verify that you have all SimpleSAMLphp dependencies installed.

> The code I am using is:
> $instance = new SimpleSAML_Auth_Simple('default-sp');
> $instance->requireAuth();
> echo 'hello'; exit();
>
> It never reaches the echo after the requireAuth(). So I wonder if there is a setting I missed somewhere.

It will only reach it after successful authentication. If something is broken in your installation, you will never get back there.

> The same happens when I try to test the IDP with the control panel of simpleSAMLphp.

What’s “the same” here? Blank page also? That really indicates something is broken with your installation.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Roland Dalmulder]

Hello Jaime,

Thanks for your response. All the above has been solved and I am left with 1 curious kind of behavior. To make sure the basics are working I created a script outside of Joomla and see if all would work. This code works:

if (!class_exists('SimpleSAML_Configuration'))
{
    include_once 'libraries/simplesamlphp/lib/_autoload.php';

}

$auth_source = 'default-sp';
$instance    = new SimpleSAML_Auth_Simple($auth_source);
$instance->requireAuth();

if ($instance->isAuthenticated())
{
    echo 'Hello authenticated user';
}
else
{
    echo 'You are not authenticated';
}

I see the 'Hello authenticated user'. This is using phpsession as datastore, when I switch this to sql so I can use an sqlitedatabase it goes belly up doing a number of redirect as shown in the attached gif file. Finally it stops with an unhandled exception

Caused by: sspmod_saml_Error: Responder

In the server log I see this:

212.201.xx.xx - - [29/Aug/2017:13:26:34 +0300] "GET /index.php?option=com_saml&task=login.login&go=1 HTTP/1.0" 302 1190 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:35 +0300] "POST /libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.0" 302 408 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:35 +0300] "GET /index.php?option=com_saml&task=login.login&go=1 HTTP/1.0" 302 1195 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:36 +0300] "POST /libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.0" 302 408 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:36 +0300] "GET /index.php?option=com_saml&task=login.login&go=1 HTTP/1.0" 302 1185 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:36 +0300] "POST /libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.0" 302 408 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:37 +0300] "GET /index.php?option=com_saml&task=login.login&go=1 HTTP/1.0" 302 1192 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:37 +0300] "POST /libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.0" 302 408 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:37 +0300] "GET /index.php?option=com_saml&task=login.login&go=1 HTTP/1.0" 302 1188 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:37 +0300] "POST /libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.0" 302 408 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:38 +0300] "GET /index.php?option=com_saml&task=login.login&go=1 HTTP/1.0" 302 1195 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:39 +0300] "POST /libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.0" 302 408 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:39 +0300] "GET /index.php?option=com_saml&task=login.login&go=1 HTTP/1.0" 302 1192 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:41 +0300] "POST /libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.0" 500 1725 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"
212.201.xx.xx - - [29/Aug/2017:13:26:41 +0300] "GET /libraries/simplesamlphp/www/resources/clipboard.min.js HTTP/1.0" 200 2911 "https://saml.rolandd.com/libraries/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0"

Switch storage back to phpsession and it works. I can see the SQLite database being created and changed, so to me I don't see a reason why it wouldn't work with SQLite.

The reason I want it to work with SQLite is because when going to implement this in Joomla I will otherwise have issues with PHP sessions.

Any ideas what is going on here?

Thanks.

[Roland Dalmulder]

Hello,

To keep this thread updated with my progress. Today I decided to give the MySQL database a try as storage option. This works as well and I will choose this to move on. Still find it curios that it won't work with sqlite.

Thanks everybody.