Recent(?) API changes in SimpleSAMLphp
Harold Aling
I'm trying to integrate SimpleSAMLphp authentication in Drupal 6 using
the simplesamlphp_auth module, but it now seems that
simplesamlphp_auth is based on an old and depricated API of
SimpleSAMLphp.
I then tried to update the module using this guide
http://simplesamlphp.org/docs/1.6/simplesamlphp-sp-migration but I
only got as far as this error: "State information lost, and no way to
restart the request."
Has anybody ported the module to the new API, or should I consider
using an older version of SimpleSAMLphp?
Thanks in advance!
Harold
Steve Moitozo II
Grab the code from the SVN trunk at:
<http://code.google.com/p/drupalsimplesaml/source/browse/#svn/trunk/simplesamlphp_auth>
Let me know if you have any other issues and I'll get them sorted.
-S2
--
Wisdom is shown in the selection of the best possible ends and of the
fittest means of accomplishing them. --A.W. Pink
Steve Moitozo II
Network Engineer
JAARS Global IT Engineering: Network Systems
+1 (704) 843-6602
Harold Aling
I got the same error using the latest SVN version: "State information
lost, and no way to restart the request." I guess it looks like the
session handler conflicts with the Drupal session handler so that the
state get's lost when redirecting to the external Identity Provider...
I was looking at replacing the simplesaml session handler with a
Drupal bootstrap to make sure they both use the same session storage.
Harold
> --
> You received this message because you are subscribed to the Google Groups
> "Drupal SimpleSAMLphp integration" group.
> To post to this group, send email to drupalsi...@googlegroups.com.
> To unsubscribe from this group, send email to
> drupalsimplesa...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/drupalsimplesaml?hl=en.
>
>
Harold Aling
Nov 24 16:41:45 neumann simplesamlphp[28627]: 7 [232407f17d] Library -
Session: Check if session is valid. checkauthority:default-sp
thisauthority:null isauthenticated:no remainingtime:-1290584505
Nov 24 16:41:45 neumann simplesamlphp[28627]: last message repeated 3 times
Nov 24 16:41:45 neumann simplesamlphp[28627]: 7 [232407f17d] Saved
state: '_d0f14a21d492bf7a9b501d676a5730edbacb27c674'
Nov 24 16:41:45 neumann simplesamlphp[28627]: 7 [232407f17d] Sending
SAML 2 AuthnRequest to 'wayf-test.surfnet.nl'
Nov 24 16:41:46 neumann simplesamlphp[28627]: 7 [b8e2ae94f9] Loading
state: '_d0f14a21d492bf7a9b501d676a5730edbacb27c674'
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9]
/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp - UserError:
ErrCode:UNHANDLEDEXCEPTION:
State+information+lost%2C+and+no+way+to+restart+the+request.
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9]
Exception: Exception
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9] Backtrace:
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9] 0:
/var/www/drupal/sites/all/libraries/simplesamlphp/lib/SimpleSAML/Auth/State.php:158
(SimpleSAML_Auth_State::loadState)
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9] 1:
/var/www/drupal/sites/all/libraries/simplesamlphp/modules/saml/www/sp/saml2-acs.php:24
(require)
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9] 2:
/var/www/drupal/sites/all/libraries/simplesamlphp/www/module.php:135
(N/A)
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9]
Nov 24 16:41:46 neumann simplesamlphp[28627]: 3 [b8e2ae94f9] Error
report with id 8ea00361 generated.
Nov 24 16:41:46 neumann simplesamlphp[28627]: 7 [b8e2ae94f9] Template:
Reading [/var/www/drupal/sites/all/libraries/simplesamlphp/dictionaries/errors]
Note the changing id: 232407f17d vs b8e2ae94f9.
Harold
Steve Moitozo II
> State information
> lost, and no way to restart the request.
What do your logs say?
Is the authentication request being sent from the same domain
as the AssertionConsumerService you have registered on the IdP?
Harold Aling
> On 11/24/2010 09:53 AM, Harold Aling wrote:
>>
>> State information
>> lost, and no way to restart the request.
>
> What do your logs say?
I posted the debug log in the last email I sent to this list:
http://groups.google.com/group/drupalsimplesaml/msg/894306eef1b5f772?hl=en\e3ef461430a9dd
> Is the authentication request being sent from the same domain
> as the AssertionConsumerService you have registered on the IdP?
Well, the "Test authentication sources" in the simplesaml utils works just fine:
Nov 24 17:04:27 neumann simplesamlphp[23374]: 7 [b8e2ae94f9] Library -
Session: Check if session is valid. checkauthority:admin
thisauthority:default-sp isauthenticated:yes remainingtime:26791
Nov 24 17:04:27 neumann simplesamlphp[23374]: 7 [b8e2ae94f9] Library -
Session: Check if session is valid. checkauthority:login-admin
thisauthority:default-sp isauthenticated:yes remainingtime:26791
-H-
Steve Moitozo II
isn't running over SSL.
Harold Aling
> I wonder if your using a secure cookie for your SP but your Drupal site
> isn't running over SSL.
The Drupal site is running at the same https:// host as the simplesaml
library is.
https://<hostname>.domain.nl/ <- Drupal frontpage
https://<hostname>.domain.nl/simplesaml <- alias to
/var/www/drupal/sites/all/libraries/simplesamlphp/www
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
ServerName <hostname>.domain.nl
DocumentRoot /var/www/drupal
Alias /simplesaml /var/www/drupal/sites/all/libraries/simplesamlphp/www
</VirtualHost>
I also tried this in Drupal's settings.php:
ini_set('session.cookie_secure', 1); (both 0 and 1)
-H-
Steve Moitozo II
Just to be thorough, is your Drupal site configured to use your
default-sp? (The one you tested through SSPs "Test authentication
sources" util.)
Is there anything special about your Drupal install (i.e., alternative
session handling, renaming of the session cookie, etc.)? If the session
variable name is different between SSP and Drupal that would be a problem.
Are you using fully qualified hostnames everywhere (e.g., Drupal,
SimpleSAMLphp metadata, etc)? If you start at http://<hostname>/ or
https://<hostname>/ and are delivered to https://<hostname>.domain.nl/
this could cause a problem.
Harold Aling
> Just to be thorough, is your Drupal site configured to use your default-sp?
> (The one you tested through SSPs "Test authentication sources" util.)
As far as I know it is. What config options should I double check?
'default-sp' is the only configured source in authsources.php.
> Is there anything special about your Drupal install (i.e., alternative
> session handling, renaming of the session cookie, etc.)? If the session
> variable name is different between SSP and Drupal that would be a problem.
To be absolutely sure there's nothing non-default in my Drupal
installation I just installed a fresh copy of Drupal 6.19, with
exactly the same error: "State information lost, and no way to restart
the request."
> Are you using fully qualified hostnames everywhere (e.g., Drupal,
> SimpleSAMLphp metadata, etc)? If you start at http://<hostname>/ or
> https://<hostname>/ and are delivered to https://<hostname>.domain.nl/ this
> could cause a problem.
There are no redirecting rewrite rules set. The http:// virtual host
doesn't even exist, so all data must come from https:// or give a 404
(which I don't receive). I also tried disabling clean urls but
https://<hostname>.domain.nl/?q=saml_login still gives the error
above.
I even set up a X11 session to my server at home and accessed my work
PC from there to make sure no /etc/hosts file sets my host to
localhost. Same error.
Drupal 6.19
simplesamlphp 1.6.2
simplesamlphp_auth module: SVN r15
Ubuntu 10.10
PHP Version 5.2.10-2ubuntu6
Apache/2.2.16 (Ubuntu)
-H-
Harold Aling
> Drupal 6.19
> simplesamlphp 1.6.2
> simplesamlphp_auth module: SVN r15
> Ubuntu 10.10
> PHP Version 5.2.10-2ubuntu6
> Apache/2.2.16 (Ubuntu)
I've replaced the constructor in SimpleSAML_SessionHandlerPHP
(lib/SimpleSAML/SessionHandlerPHP.php) with the Drupal bootstrap:
$path = getcwd();
chdir('/var/www/ssl');
require_once 'includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);
chdir($path);
return;
...to no avail... :(
The debug log: (same as last time: changing id's)
Nov 25 14:29:14 neumann simplesamlphp[2111]: 7 [decd6b253c] Library -
Session: Check if session is valid. checkauthority:default-sp
thisauthority:null isauthenticated:no remainingtime:-1290662954
Nov 25 14:29:14 neumann simplesamlphp[2111]: last message repeated 2 times
Nov 25 14:29:14 neumann simplesamlphp[2111]: 7 [decd6b253c] Saved
state: '_105d9a15a4ae217f8c79b9808a1ab91e0203df52e4'
Nov 25 14:29:14 neumann simplesamlphp[2111]: 7 [decd6b253c] Sending
SAML 2 AuthnRequest to 'wayf-test.surfnet.nl'
Nov 25 14:29:28 neumann simplesamlphp[2111]: 7 [9bf50c63e8] Loading
state: '_105d9a15a4ae217f8c79b9808a1ab91e0203df52e4'
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8]
/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp - UserError:
ErrCode:UNHANDLEDEXCEPTION:
State+information+lost%2C+and+no+way+to+restart+the+request.
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8] Exception: Exception
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8] Backtrace:
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8] 0:
/var/www/ssl/sites/all/libraries/simplesamlphp/lib/SimpleSAML/Auth/State.php:158
(SimpleSAML_Auth_State::loadState)
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8] 1:
/var/www/ssl/sites/all/libraries/simplesamlphp/modules/saml/www/sp/saml2-acs.php:24
(require)
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8] 2:
/var/www/ssl/sites/all/libraries/simplesamlphp/www/module.php:135
(N/A)
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8]
Nov 25 14:29:28 neumann simplesamlphp[2111]: 3 [9bf50c63e8] Error
report with id ca4ac135 generated.
Nov 25 14:29:28 neumann simplesamlphp[2111]: 7 [9bf50c63e8] Template:
Reading [/var/www/ssl/sites/all/libraries/simplesamlphp/dictionaries/errors]
Any other suggestions I might try?
-H-
Andreas Åkre Solberg
On 25. nov.2010, at 14:40, Harold Aling wrote:
>
> I've replaced the constructor in SimpleSAML_SessionHandlerPHP
> (lib/SimpleSAML/SessionHandlerPHP.php) with the Drupal bootstrap:
Tried to use the memcache sessio handler of simpleSAMLphp?
Andreas
Snorre Løvås
> Any other suggestions I might try?
Just read this thread now.
I think there has always been a conflict between the session handling
in Drupal and SimpleSAMLphp. The only way I've gotten it to work is by
using memcached on the server and the option to use memcache as
session handler in SimpleSAMLphp...
regards,
Snorre
Harold Aling
Snorre and Andreas,
The SAML authentication is to be added to an existing and quite large
project which is hosted on third-party servers. We unfortunately can't
switch to memcache easily.
What about writing another SimpleSAMLphp session handler
(SessionHandlerDrupal.php) that queries the Drupal database for
session data? Any objections on that approach?
-H-
Andreas Åkre Solberg
On 25. nov.2010, at 15:02, Harold Aling wrote:
> Snorre and Andreas,
>
> The SAML authentication is to be added to an existing and quite large
> project which is hosted on third-party servers. We unfortunately can't
> switch to memcache easily.
>
> What about writing another SimpleSAMLphp session handler
> (SessionHandlerDrupal.php) that queries the Drupal database for
> session data? Any objections on that approach?
There is also some alternatives to memcache; like SQLlite for session storage in the upcoming 1.7 version of simplesamlphp (or trunk).
Ask on the simplesamlphp list for more details on alternative session storages...
Andreas
Snorre Løvås
>> What about writing another SimpleSAMLphp session handler
>> (SessionHandlerDrupal.php) that queries the Drupal database for
>> session data? Any objections on that approach?
>
> There is also some alternatives to memcache; like SQLlite for session storage in the upcoming 1.7 version of simplesamlphp (or trunk).
If there isn't any added bonus in merging the session handling with
the one in Drupal I think I'd look into the other handlers in
SimpleSAMLphp first before adding a new handler. But if none of them
work I don't have any objections as long as it doesn't alter code in
the Drupal core. :)
On a side note: This module probably should get some more new and
active maintainers. I guess neither Andreas nor I work with Drupal on
a daily basis anymore. :-/
regards,
Snorre
totten
> The SAML authentication is to be added to an existing and quite large
> project which is hosted on third-party servers. We unfortunately can't
> switch to memcache easily.
>
> What about writing another SimpleSAMLphp session handler
> (SessionHandlerDrupal.php) that queries the Drupal database for
> session data? Any objections on that approach?
unsuitable for our security posture, so I implemented a Drupal session
handler. I don't know how well it would work with the latest releases,
but you can get the patch in the mailing-list archives [URL-1].
Specifically, I took the approach of copying/tweaking SimpleSAMLphp's
support for PHP SESSION in a way that worked with Drupal's session-
handler.
A few issues that had to be addressed at the time:
1. There were two shutdown functions[URL-2] which wanted to manipulate
$_SESSION. The functions didn't know about each other or play well, so
a work-around was required. Details and the workaround are described
in the patch.
2. Several requests in the SSO redirect sequence would involve .php
files that are owned by SimpleSAMLphp. For these requests, it was
necessary to restore the Drupal session in the same way that Drupal
does (i.e. call drupal_bootstrap with $PWD set to the Drupal root).
3. The Drupal and SimpleSAMLphp logout processes needed to cooperate
carefully. For example, if you allowed someone to logout of the Drupal
site using Drupal's built-in logout, then Drupal would destory the
session (including all SimpleSAMLphp state). This could interfere with
subsequent logouts through the IdP/SLO. I side-stepped that by (a)
ensuring that all logouts use SLO and (b) tweaking SLO to work with
Drupal sessions.
Anyway, if you do pursue this approach, I hope my patch or comments
help.
[URL-1] http://groups.google.com/group/drupalsimplesaml/browse_thread/thread/55b669c2b53f1b27?hl=en
[URL-2] http://php.net/manual/en/function.register-shutdown-function.php