Problem with support for bookmarking login pages

[Dubravko Voncina]

Hi all,

Im testing some new features that were introduced in simpleSAMLphp 1.4.
My testing environment is made of two separate computers, one running
simpleSAMLphp 1.4 as a Service Provider, and another with simpleSAMLphp
1.4 configured as an Identity Provider. Communication between SP and IdP
works fine.

One of the new features I'm interested in is support for bookmarking
login pages. If I understand correctly, when user bookmarks a login
page after being redirected from the SP, next time he selects this
bookmark ih his web browser, after entering username and password he
should be automatically redirected back to the SP.

For some reason this doesn't work for me. I'm still receiving messages like

"Could not find cached version of authentication request with ID
_fea94b0500398fbf578f53e93d19485594091b151a (saml2)..."

I'm not sure that I understand instructions on web page
https://rnd.feide.no/content/simplesamlphp-identity-provider-advanced-topics
so I guess I'm doing something wrong.

Has anyone tried this feature? Any suggestions on how to fix this problem?

Cheers,

Dubravko Voncina
Srce, University Computing Centre
University of Zagreb, Croatia

[Olav Morken]

Are you using the new authentication framework? The code which handles
this is only implemented for the authentication framework which is
based on modules.

--
Olav Morken

[byqsri]

Hi
I get the same above error but not in relation with bookmark of user.
Simple I have a web page where the user can access only if he is
authenticated.

In this page I have a link that redirects to googleapps calendar
Google Apps is configurated like in simplesaml documentation
Many times all works fine but sometimes I get the above error even if
the user is correctly authenticated in my web site.

I try to understand where is the problem but I can't to know
I hope someone can help me about this

On 24 Apr, 08:00, Olav Morken <ola...@stud.ntnu.no> wrote:
> On Thu, Apr 23, 2009 at 23:09:26 +0200, Dubravko Voncina wrote:
>
> > Hi all,
>
> > Im testing some new features that were introduced in simpleSAMLphp 1.4.
> > My testing environment is made of two separate computers, one running
> > simpleSAMLphp 1.4 as a Service Provider, and another with simpleSAMLphp
> > 1.4 configured as an Identity Provider. Communication between SP and IdP
> > works fine.
>
> > One of the new features I'm interested in is support for bookmarking
> > login pages. If I understand correctly,  when user bookmarks a login
> > page after being redirected from the SP, next time he selects this
> > bookmark ih his web browser, after entering username and password he
> > should be automatically redirected back to the SP.
>
> > For some reason this doesn't work for me. I'm still receiving messages like
>

> > "Couldnotfindcachedversionof authentication request with ID
> > _fea94b0500398fbf578f53e93d19485594091b151a (saml2)..."
>
> > I'mnotsure that I understand instructions on web page
> >https://rnd.feide.no/content/simplesamlphp-identity-provider-advanced...

[byqsri]

I found when the error happens exactly:
1)I click on link from my webpage to GoogleApps and I enter in my
GoogleApps (another tab) and it works fine
2)I logout from GoogleApps and try to login by reclicking the link on
my page and I get the error.

I don't know the phases of SSO authentication so I would know what's
happen when I logout from GoogleApps?

[Joakim Recht]

byqsri wrote:
> I found when the error happens exactly:
> 1)I click on link from my webpage to GoogleApps and I enter in my
> GoogleApps (another tab) and it works fine
> 2)I logout from GoogleApps and try to login by reclicking the link on
> my page and I get the error.
>
> I don't know the phases of SSO authentication so I would know what's
> happen when I logout from GoogleApps?

Hi

You should probably note that bookmarking works with SSP only because
the relayState parameter contains a complete url, whereas some
implementations store an opaque id, which is only valid for a limited
timespan. In other words: the bookmarking feature is proprietary for
SSP, and you shouldn't expect it just to work in all applications.

Regards,
--
Joakim Recht

Trifork A/S, Margrethepladsen 4, 8000 Aarhus C, Denmark
Phone: +45 8732 8787 / Mobile: +45 2021 6257
http://www.trifork.com - E-mail: j...@trifork.com

[byqsri]

Sorry but my problem is not about bookmarking
I think that is looks like a problem with your proxy/caching server.
If I pass you the headers you can help me?

[Bhargav Khatana/NYLIC]

Hello All,

I have setup SimpleSamlPHP as IDP, but can any one help me out in, how exactly I can set it up for IDP initiated SSO or what things I need to do to assert SAML to SP without any request from SP.

Thanks in advance for your help and support.

Thanks and Regards,
Bhargav Khatana

[Dubravko Voncina]

Finally, I created a simpleSAMLphp module that uses our AAI for user
authentication and attribute retrieval (it took me some time, I'm not a
very bright person...) so mow I'm using a new authentication framework,
but now I have a different problem.

When I bookmark a login page after being redirected from SP and then
select this bookmark in my web browser, after successful authentication
I am redirected to my SP but I receive an error message:

"No RelayState
The initiator of this request did not provide a RelayState parameter
indicating where to go next."

As I already mentioned, I'm simply using two instances of simpleSAMLphp
1.4, one configured as a Service Provider and another configured as an
Identity Provider.
If instead of bookmarking a login page I simply enter SP address in my
web browser, SSO authentication works fine.

I can't find what am I doing wrong and I'm getting a bit desperate so
any suggestions how to solve this would be more than welcome...

Best Regards,

Dubravko

[Solberg Andreas Åkre]

On 1. juli2009, at 04:26, Dubravko Voncina wrote:

"No RelayState
The initiator of this request did not provide a RelayState parameter
indicating where to go next."

As I already mentioned, I'm simply using two instances of simpleSAMLphp
1.4, one configured as a Service Provider and another configured as an
Identity Provider.
If instead of bookmarking a login page I simply enter SP address in my
web browser, SSO authentication works fine.

I can't find what am I doing wrong and I'm getting a bit desperate so
any suggestions how to solve this would be more than welcome...

Hi,

in the document 'SimpleSAMLphp Identity Provider Advanced Topics' available here:

https://rnd.feide.no/content/simplesamlphp-identity-provider-advanced-topics

there is a section: 'IdP-first flow'.

When the IdP-first flow is used an extra parameter is needed in the saml20-sp-hosted metadata. This is the RelayState parameter that tells the SP which URL to redirect the user to after the user is successfully authenticated. This typically is the frontpage of your application. An example of this can be:

'RelayState' => '/',

So my guess is that you lack this parameter in your saml20-sp-hosted metadata at the SP.

Andreas

[Solberg Andreas Åkre]

On 2. juli2009, at 07:38, Solberg Andreas Åkre wrote:

in the document 'SimpleSAMLphp Identity Provider Advanced Topics' available here:

https://rnd.feide.no/content/simplesamlphp-identity-provider-advanced-topics

there is a section: 'IdP-first flow'.

I now added a new section in the same document with the header: 'Support for bookmarking the login page'.

https://rnd.feide.no/content/simplesamlphp-identity-provider-advanced-topics

Hope this makes it more clear how the feature is working.

Kind regards,

Andreas.

[Dubravko Voncina]

Thank you, it works!
I knew that solution should be simple, I was just too nervous to read
the instructions carefully :(
And actually, for some reason I was convinced that support for
bookmarking the login page is implemented within simpleSAMLphp IdP
configuration, and not the SP configuration.
Please correct me if I'm wrong, but if support for bookmarking login
page is implemented within SP configuration by setting RelayState
parameter, doesn't this mean that problem will be solved only for those
applications that use properly configured simpleSAMLphp 1.4, but it will
remain for those service providers that use earlier versions of
simpleSAMLphp and service providers that don't use simpleSAMLphp (for
example Google Apps or applications that use Shibboleth)?

Regards,

Dubravko

[Solberg Andreas Åkre]

On 3. juli2009, at 21:48, Dubravko Voncina wrote:

> And actually, for some reason I was convinced that support for
> bookmarking the login page is implemented within simpleSAMLphp IdP
> configuration, and not the SP configuration.
> Please correct me if I'm wrong, but if support for bookmarking login
> page is implemented within SP configuration by setting RelayState
> parameter, doesn't this mean that problem will be solved only for
> those
> applications that use properly configured simpleSAMLphp 1.4, but it
> will
> remain for those service providers that use earlier versions of
> simpleSAMLphp and service providers that don't use simpleSAMLphp (for
> example Google Apps or applications that use Shibboleth)?

It depends on whether or not the SP application has a fallback
mechanisms to handle unsolicited responses without relaystate. If they
do not handle it, they probably give you an error screen.

SimpleSAMLphp handles it, but only if you tell it what URL to use
instead, if relay state is not provided in the response. Like in
example on a wiki, you login at a specific wikipage, and then if the
wiki gets an unsolicited response, the SP needs to be configured one
particular page to go to, most likely the front-page.

Andreas