Session: 'default-sp' not valid because we are not authenticated.

[Brett Sheeran]

Hi,

Can someone suggest how I might narrow down the cause of my "we are not authenticated" error please? I'm stumped.

Details as follows.

We are attempting to setup SimpleSAML to ADFS as per these instructions (which we have successfully used before):

http://act-org.github.io/integrations/adfs-drupal

Ignoring the Druapl stuff, if I call this SimpleSAML URL, I should get redirected to a std ADFS login page:

https://mysamlhost.com/simplesaml/module.php/core/authenticate.php?as=default-sp

However, I get redirected to here:

https://adfs.myadfshost.com/adfs/ls/?SAMLRequest0=<snip/>&RelayState=https%3A%2F%2Fmysamlhost.com%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddefault-sp&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=<snip/>

With this message:

An error occurred. Contact your administrator for more information.

Error details: Activity ID: 00000000-0000-0000-a607-0080000000d9

Error time: Wed, 16 Nov 2016 02:46:57 GMT

Cookie: enabled

User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0

This is what I see in the SAML logs:

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2] Session: 'default-sp' not valid because we are not authenticated.

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2] Saved state: '_0f82eb6a0992e39790e5ef332e6883487487d24977'

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2] Sending SAML 2 AuthnRequest to 'https://ADFS.myadfshost.com/adfs/services/trust'

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2] Sending message:

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0f82eb6a0992e39790e5ef332e6883487487d24977" Version="2.0" IssueInstant="2016-11-16T03:31:21Z" Destination="https://adfs.stpetersgirls.sa.edu.au/adfs/ls/" AssertionConsumerServiceURL="https://mysamlhost.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2]   <saml:Issuer>https://mysamlhost.com/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2]   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>

Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2] </samlp:AuthnRequest>

Does anyone have any suggestions how I might narrow down the cause of this error?

I am happy to post configs etc.

Thanks.

Regards

Brett

[Peter Schober]

* Brett Sheeran <brett....@gmail.com> [2016-11-16 07:12]:

> Can someone suggest how I might narrow down the cause of my "we are
> not authenticated" error please?

I don't see an error in your logs:

> Nov 16 14:01:21 simplesamlphp DEBUG [79d48437b2] Session:
> 'default-sp' not valid because we are not authenticated.

That's a "DEBUG" level message, not ERROR.

> However, I get redirected to here:

> https://adfs.myadfshost.com/adfs/ls/...

If you get sent of to the SAML IDP (here of the Microsoft
implementation) with an authentication request it seems there is no
error (yet) from SSP?

> With this message:
> An error occurred. Contact your administrator for more information.

As to what this message means ("An error"? Could it be any less
specific?), you'd either have to ask the operator that service/server,
or the vendor of the product generating such useless messages.
-peter