require_once ('simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAuthData('saml:sp:NameID');
$userEmail = $attributes['Value'];
Whether you start at index.php or superSecretFunction.php, after authorizing you at the IDp, the browser will return to index.php.Not at all, don’t worry ;-)
I’m not sure I understand correctly, but anyway: the SAMLRequest is just a parameter of the request, just as the RelayState. Whether it is part of the URL or sent as a POST parameter, depends on the binding in use. That’s determined in the IdP metadata, and SimpleSAMLphp will automatically do whatever the IdP metadata says. In any case, sending a SAMLRequest in the URL is the normal and even recommended behaviour. I seriously doubt that’s a problem for the Ping IdP.
A different way to interpret your statement would be that they complain about the SAMLRequest being part of the URL in the RelayState, but that makes no sense at all, and it’s definitely not the case. So I’m not sure what are they complaining about here...
Use the "SAML Tracer” Firefox extension. You will see all the SAML messages and request parameters. If they are sending the RelayState back, it will be there. As Peter said, as a parameter, *not* inside the SAMLResponse XML document.
I would also recommend you to start looking at your logs. The information there should be helpful to debug your issue. By the way, you said:
> However, if I set a RelayState value in authsources.php, it will go to the url specified there, but I still don't see that value in the SAMLResponse.
Does that mean that if you set the RelayState manually in config/authsources.php, then it works and you are getting back to the right page?
> I am writing an application that is relying on the PingFederate
> server (an IdP, correct) to authenticate the desktop user and send
> their identity back to the ACS on SSP. Doesn't that make my
> application a SP? Doesn't that mean it is SP initiated?
Correct on all accounts. The real issue is this: If your SP sends a
*SAML* authentication request to the IDP, and the IDP processes that
and sends back a SAML Reponse, they're acting as a SAML IDP. And that
means they MUST also send back the RelayState they're given *verbatim*.
So the literal reply to them is (in their own words, those make sense
to anyone else) is your "SSO Profile is SP-initiated". Having to ask
you that is a bit silly, of course, since their IDP recieved a SAML
request and sent a SAML response, only one that's missing a mandatory
parameter.
javax.servlet.ServletException: org.sourceid.saml20.bindings.BindingException: Incoming binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect is not enabled for (SP) ::: JonAugustEntityID
So, my IdP owner agreed to switch the profile to SP-initiated SSO, however now the IdP is making the following complaint:javax.servlet.ServletException: org.sourceid.saml20.bindings.BindingException: Incoming binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect is not enabled for (SP) ::: JonAugustEntityID
She says we agreed to HTTP Post, not HTTP-Redirect. Is there a way to tell simplesamlphp to not use HTTP-Redirect? Again, I'm not sure what this means since it seems like there is a lot of Redirecting going on.Thanks for the help, Peter and Jaime.