Help with SSO implementation as service provider for web application in PHP

726 views
Skip to first unread message

ammu.n...@gmail.com

unread,
May 11, 2017, 5:33:07 PM5/11/17
to SimpleSAMLphp
Hi,
I am a newbie in this, so pardon me if my question is silly.
We support a web application written in PHP and has been asked by one of the companies that use the application to implement SSO. We have installed simpleSAML at our end (I believe we are the service provider) and need to connect it to an existing IDP provider. I have followed the steps to configure the SP (from https://simplesamlphp.org/docs/1.8/simplesamlphp-sp) .. I have pasted the metadata they provided in metadata/saml20-idp-remote.php Can someone please advise on how to test at our end and also on how to confirm/ guide our client to testing it at their end.

Thanks,
Ammu


Peter Schober

unread,
May 11, 2017, 5:53:11 PM5/11/17
to SimpleSAMLphp
* ammu.n...@gmail.com <ammu.n...@gmail.com> [2017-05-11 23:33]:
> *We support a web application written in PHP and has been asked by one of
> the companies that use the application to implement SSO. We have installed
> simpleSAML at our end (I believe we are the service provider)

Yes, if you provide the service (the application, the protected
resource) you are the Service Provider.

> and need to connect it to an existing IDP provider. I have followed
> the steps to configure the SP (from
> https://simplesamlphp.org/docs/1.8/simplesamlphp-sp)

I sure hope not. Just click on "stable" in the upper right corner of
that page, right above the yellow box with "Warning", telling you that
this is outdated information (and software).

> .. I have pasted the metadata they provided in
> metadata/saml20-idp-remote.php
> Can someone please advise on how to test at our end and also on how
> to confirm/ guide our client to testing it at their end.

I don't understand what you're asking. You follow the steps in that
document. Configure the SP, Enable a certificate, Add an IDP, maybe
set the IDP as default, Echange Metadata with the IDP, and step 5 is
"Test the SP".

So the advise on how to test is following the documentation you have
in front of you.
-peter

ammu.n...@gmail.com

unread,
May 11, 2017, 6:06:16 PM5/11/17
to SimpleSAMLphp
Hi Peter,
Many thanks for responding. 
Ok, I will refer to the updated doc.

Following step 5, I clicked on the 'SP' link under Test Authentication Sources and it gives me this error.. 

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Failure Signing Data: error:0906D06C:PEM routines:PEM_read_bio:no start line - SHA256
Backtrace:
11 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:382 (XMLSecurityKey::signOpenSSL)
10 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:420 (XMLSecurityKey::signData)
9 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:55 (SAML2_HTTPRedirect::getRedirectURL)
8 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPRedirect.php:77 (SAML2_HTTPRedirect::send)
7 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:294 (sspmod_saml_Auth_Source_SP::sendSAML2AuthnRequest)
6 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:278 (sspmod_saml_Auth_Source_SP::startSSO2)
5 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:316 (sspmod_saml_Auth_Source_SP::startSSO)
4 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:390 (sspmod_saml_Auth_Source_SP::authenticate)
3 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/lib/SimpleSAML/Auth/Source.php:193 (SimpleSAML_Auth_Source::initLogin)
2 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:141 (SimpleSAML_Auth_Simple::login)
1 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/modules/core/www/authenticate.php:40 (require)
0 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/www/module.php:137 (N/A)

I am not able to infer anything from this.. Can you please advise ?

Thanks,
Ammu

Peter Schober

unread,
May 11, 2017, 6:54:39 PM5/11/17
to SimpleSAMLphp
* ammu.n...@gmail.com <ammu.n...@gmail.com> [2017-05-12 00:06]:
> Following step 5, I clicked on the 'SP' link under Test Authentication
> Sources and it gives me this error..
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 0 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/www/module.php:180 (N/A)
> Caused by: Exception: Failure Signing Data: error:0906D06C:PEM routines:PEM_read_bio:no start line - SHA256

Does the SAML 2.0 Metadata for the IDP require signed authentication
requests? <md:IDPSSODescriptor WantAuthnRequestsSigned="true" ...>
(Why else an SP would try "Signing Data".)

Did you create a key pair for your SP, following the steps in section
1.1 of the SP Quickstart? Make sure the user your PHP code runs as can
read both the private key and the certificate.

-peter

ammu.n...@gmail.com

unread,
May 12, 2017, 1:00:57 AM5/12/17
to SimpleSAMLphp, peter....@univie.ac.at
Hi Peter,
We have 2 service providers here .. I had updated the Entity Id for these in authsources.php with the Entity Id displayed on the Metadata Federation Screen. On the test authentication screen, clicking on both the service providers takes me to the respective pages (Does not show the error log I had before), but does not prompt the username / password. It just shows 'An error occured'. Is there anyway I can get more information on this error ? Please advice. Screengrabs attached.

Thanks,
Ammu
sp2.png
sp1.png

Jaime Perez Crespo

unread,
May 18, 2017, 5:33:22 AM5/18/17
to simple...@googlegroups.com
Hi Ammu,

On 12 May 2017, at 07:00 AM, ammu.n...@gmail.com wrote:
> Hi Peter,
> We have 2 service providers here .. I had updated the Entity Id for these in authsources.php with the Entity Id displayed on the Metadata Federation Screen. On the test authentication screen, clicking on both the service providers takes me to the respective pages (Does not show the error log I had before), but does not prompt the username / password. It just shows 'An error occured'. Is there anyway I can get more information on this error ? Please advice. Screengrabs attached.

You’ll need to ask those running the services for more information about the errors. There’s nothing we can tell you about them, because the errors themselves are meaningless, and also because we don’t have access to the logs that might have more information. We are not familiar either with ADFS errors.

In any case, if those are service providers, I understand you run the IdP, right? In that case, you don’t just go to the “test authentication” page and have the service providers there, that’s not possible, as what you have there are authentication sources, not services. If you see the services there, then you have misconfigured something.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Ammu Nair

unread,
May 21, 2017, 9:00:38 PM5/21/17
to simple...@googlegroups.com, jaime...@uninett.no, jaime...@protonmail.com
Hi Jaime,
Thanks for responding.
We provide / support the php application, so as I understand we are the Service Providers. And as per the docs, we test using the link in the Test Authentication Sources section. Please let me know if that is right. i have attached the screen grabs.
Could you please guide me on this as well... With regards to the credentials to be used to login from the SP end, we use the account credentials that the client (the IDP) creates for us right ? So will it be an account that we create to login to the clients subdomain on the application or will it be one that the client uses to login to their system ? I am confused with this, as the account credentials that the client created are not letting me login and is now returning an error on the page itself (and is not showing the username, password fields) after multiple incorrect attempts. Did my ip get banned ? 

Thanks heaps for your help,
Ammu


--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/se5g8zgGnq0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Warm Regards,
Ammu Nair
0490 394 186

REST_SSO.png

ammu.n...@gmail.com

unread,
May 22, 2017, 12:20:36 AM5/22/17
to SimpleSAMLphp

When logging in via the SP authentication link, I am getting the error below.



Can someone please advise what could be wrong ?

Thanks,
Ammu
Auto Generated Inline Image 1
Reply all
Reply to author
Forward
0 new messages