Problems with 1.14.7
72 views
Skip to first unread message
oscar...@gmail.com
Aug 21, 2016, 9:38:27 AM8/21/16
to SimpleSAMLphp
Hi,
I'm pretty new to SSP and SAML in general but I had working test environment set up with 1.14.0.
I have an SP which is which is running on Debian 7, php 5.4.45 and I'm using an ADFS based IDP. I'm using Apache (2.2), memcached (1.4.13) and mod-auth-memcookie (1.0.2-5). As I said this worked fine with 1.14.0, but after upgrading to SSP 1.14.7 I seem to have a number of problems.
I followed the upgrade instructions as described on the SSP site and copied over the config and metadata (and cert) directories from the 14.0 installation.
I have Apache set up require a valid user for specific directories:
<Location />
Auth_memCookie_Memcached_AddrPort "127.0.0.1:11211"
Auth_memCookie_Authoritative on
Auth_memCookie_SessionTableSize "40"
AuthType Cookie
AuthName "My Login"
ErrorDocument 401 "/simplesaml/authmemcookie.php"
</Location>
<Location /myDir>
Require valid-user
</Location>
If I try to access myDir/script.php I get redirected to the IDP as expected but after successfully authenticating I get redirected to a mangled url which is a combination of the ErrorDocument specified in the Apache config and myDir/script.php, something like simplesaml/authmemcookie.phppt.php. I've tried changing the url to the correct one to see what happens, but when I go to simplesaml/authmemcookie.php the page repeatedly redirects to itself and creates lots of new sessions (20+) until it errors with ERR_TOO_MANY_REDIRECTS (in Chrome). This could be a red herring and may be something that I have configured incorrectly, but I’m not sure why I’m having these issues with the latest version. Here’s a section of my SSP log if that helps anyone.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Loading state: ‘_b1mfo5b1c4a6395c0329347da1730766426b0444v9’
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Received SAML2 Response from ‘idp’.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Has 1 candidate keys for validation.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Validation with key #0 failed without exception.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Decryption with key #0 succeeded.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Has 1 candidate keys for validation.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Validation with key #0 succeeded.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp
…
I have also tried setting up a fresh install of 1.14.7 with the same result, can anyone help please?
Thanks
MJ
I'm pretty new to SSP and SAML in general but I had working test environment set up with 1.14.0.
I have an SP which is which is running on Debian 7, php 5.4.45 and I'm using an ADFS based IDP. I'm using Apache (2.2), memcached (1.4.13) and mod-auth-memcookie (1.0.2-5). As I said this worked fine with 1.14.0, but after upgrading to SSP 1.14.7 I seem to have a number of problems.
I followed the upgrade instructions as described on the SSP site and copied over the config and metadata (and cert) directories from the 14.0 installation.
I have Apache set up require a valid user for specific directories:
<Location />
Auth_memCookie_Memcached_AddrPort "127.0.0.1:11211"
Auth_memCookie_Authoritative on
Auth_memCookie_SessionTableSize "40"
AuthType Cookie
AuthName "My Login"
ErrorDocument 401 "/simplesaml/authmemcookie.php"
</Location>
<Location /myDir>
Require valid-user
</Location>
If I try to access myDir/script.php I get redirected to the IDP as expected but after successfully authenticating I get redirected to a mangled url which is a combination of the ErrorDocument specified in the Apache config and myDir/script.php, something like simplesaml/authmemcookie.phppt.php. I've tried changing the url to the correct one to see what happens, but when I go to simplesaml/authmemcookie.php the page repeatedly redirects to itself and creates lots of new sessions (20+) until it errors with ERR_TOO_MANY_REDIRECTS (in Chrome). This could be a red herring and may be something that I have configured incorrectly, but I’m not sure why I’m having these issues with the latest version. Here’s a section of my SSP log if that helps anyone.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Loading state: ‘_b1mfo5b1c4a6395c0329347da1730766426b0444v9’
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Received SAML2 Response from ‘idp’.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Has 1 candidate keys for validation.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Validation with key #0 failed without exception.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Decryption with key #0 succeeded.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Has 1 candidate keys for validation.
Aug 21 13:06:20 simplesamlphp DEBUG [85fc75476x] Validation with key #0 succeeded.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp
…
I have also tried setting up a fresh install of 1.14.7 with the same result, can anyone help please?
Thanks
MJ
oscar...@gmail.com
Aug 21, 2016, 2:49:25 PM8/21/16
to SimpleSAMLphp
Update. It looks like the RelayState value is set incorrectly in the initial get request, however it is set correctly with SSP 1.14.0. I've checked my config and metadata files and they are identical to my working 1.14.0 install.
I don’t understand why the RelayState value is simplesaml/authmemcookie.phppt.php. Even if the url was correct, simplesaml/authmemcookie.php, I don’t get why it has this value when it should be the protected url, myserver/script/php. I wonder if there is a problem with either authmemcookie or memcached but I’m note sure how to troubleshoot this further. If I request the original protected URL a further 2 times after authenticating (so that’s 3 times in total) I am successfully redirected to the authenticated page on the 3rd try.
I don’t understand why the RelayState value is simplesaml/authmemcookie.phppt.php. Even if the url was correct, simplesaml/authmemcookie.php, I don’t get why it has this value when it should be the protected url, myserver/script/php. I wonder if there is a problem with either authmemcookie or memcached but I’m note sure how to troubleshoot this further. If I request the original protected URL a further 2 times after authenticating (so that’s 3 times in total) I am successfully redirected to the authenticated page on the 3rd try.
Robert Wolf
Aug 22, 2016, 5:07:31 AM8/22/16
to SimpleSAMLphp
On Sun, 21 Aug 2016, oscar...@gmail.com wrote:
> Update. It looks like the RelayState value is set incorrectly in the
> initial get request, however it is set correctly with SSP 1.14.0. I've
> checked my config and metadata files and they are identical to my working
> 1.14.0 install.
I have exactly the same problem with authmemcookie.php script currently. I
describe my problem in thread, you can find it in mailing list archive
(https://groups.google.com/forum/#!forum/simplesamlphp):
SimpleSAMLphp 1.14.5+ - The session id is too long or contains illegal characters
In my case the ReturnTo address is generated as the ErrorDocument (the
authmemcookie.php) too and the Webbrowser makes cyclic redirects to the same
page, until it fails with "The page isn’t redirecting properly".
And I have the same log entries:
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp'.
> Aug 21 14:13:42 simplesamlphp DEBUG [vvf84b17tu] Session: Valid session found with 'default-sp
solution (but currently I am too busy to search more). Look at my last post in
my thread.
Regards,
Robert Wolf.
oscar...@gmail.com
Aug 22, 2016, 7:31:57 AM8/22/16
to SimpleSAMLphp, r.wol...@atlas.cz
Hi Robert,
Thanks for your reply. I did read through your post, which prompted my post as I seem to be experiencing similar problems. I hope that a solution can be found.
MJ
Thanks for your reply. I did read through your post, which prompted my post as I seem to be experiencing similar problems. I hope that a solution can be found.
MJ
Robert Wolf
Aug 22, 2016, 11:57:16 AM8/22/16
to simple...@googlegroups.com
On Mon, 22 Aug 2016, Jaime Perez Crespo wrote:
> Hi!
>
> Would you be so kind to apply the following patch to your current installation and tell me if it fixes the issue for you?
Hello Jaime,
> Hi!
>
> Would you be so kind to apply the following patch to your current installation and tell me if it fixes the issue for you?
YES! Great, it works now for me too!:-D Thank you very very much!:) No error in
apache error log.
Would you release new version soon or should I patch 1.14.7 myself temporary
until new version released?
Thank you once more.
Regards,
Robert Wolf.
Jaime Perez Crespo
Aug 22, 2016, 12:03:16 PM8/22/16
to simple...@googlegroups.com
Thanks for the feedback Robert!
Actually, there was a small bug in the patch itself. It’s probably better if you apply the one I’m attaching. In any case, I think I’ll have a new release to include this, so if you want to wait for it...
Actually, there was a small bug in the patch itself. It’s probably better if you apply the one I’m attaching. In any case, I think I’ll have a new release to include this, so if you want to wait for it...
Robert Wolf
Aug 22, 2016, 12:09:09 PM8/22/16
to simple...@googlegroups.com
On Mon, 22 Aug 2016, Jaime Perez Crespo wrote:
OK, thank you for the updated patch.
I will wait for new version.
Thank you.
Regards,
Robert Wolf.
Robert Wolf
Aug 22, 2016, 12:49:39 PM8/22/16
to simple...@googlegroups.com
On Mon, 22 Aug 2016, Jaime Perez Crespo wrote:
> Thanks for the feedback Robert!
>
> Actually, there was a small bug in the patch itself. It’s probably better if you apply the one I’m attaching. In any case, I think I’ll have a new release to include this, so if you want to wait for it...
Hello Jaime,
>
> Actually, there was a small bug in the patch itself. It’s probably better if you apply the one I’m attaching. In any case, I think I’ll have a new release to include this, so if you want to wait for it...
just notice, not critical. This second updated patch contains part for
tests/lib/SimpleSAML/Utils/HTTPTest.php but the version 1.14.7 does not
contain this file, i.e. the second patch fails with:
can't find file to patch at input line 58
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/tests/lib/SimpleSAML/Utils/HTTPTest.php b/tests/lib/SimpleSAML/Utils/HTTPTest.php
|index b6bfb6b..4fd540c 100644
|--- a/tests/lib/SimpleSAML/Utils/HTTPTest.php
|+++ b/tests/lib/SimpleSAML/Utils/HTTPTest.php
--------------------------
The first patch applies to 1.14.7 without any problem, so for testing I will
use the first patch.
But as I said, this is not critical, just for information, so you don't need to
care of it, if this HTTPTest.php file will be included in new version:-)
Thank you very much for your support.
Regards,
Robert Wolf.
oscar...@gmail.com
Aug 22, 2016, 4:03:19 PM8/22/16
to SimpleSAMLphp, r.wol...@atlas.cz
Hi both,
I can confirm the same findings as Robert, the first patch seems to fix the problem which is excellent, however the second patch fails as indicated by Robert.
MJ
I can confirm the same findings as Robert, the first patch seems to fix the problem which is excellent, however the second patch fails as indicated by Robert.
MJ
Jaime Perez Crespo
Aug 22, 2016, 4:28:39 PM8/22/16
to simple...@googlegroups.com
Hi both!
That file does not exist in 1.14.X, which is why you are getting trouble applying the patch (created for master) on top of 1.14.7. Use this one, with the changes regarding HTTPTest.php removed from it.
That file does not exist in 1.14.X, which is why you are getting trouble applying the patch (created for master) on top of 1.14.7. Use this one, with the changes regarding HTTPTest.php removed from it.
oscar...@gmail.com
Aug 23, 2016, 12:42:43 AM8/23/16
to SimpleSAMLphp
Hi Jaime,
This patch applies successfully and appears to work.
Thank you.
MJ
This patch applies successfully and appears to work.
Thank you.
MJ
Reply all
Reply to author
Forward
0 new messages