SAML on Subdomain

[Youri van den Bogert]

Hi,

Current setup:

saml.domain1.ext (realpath: /var/simplesamlphp/www)

test.domain2.ext (realpath: /usr/share/nginx/html/vhosts/test.domain.ext)

test.domain.ext/test.php contains the following:

require_once ('/nfs/simplesamlphp/lib/_autoload.php'); 

$as = new SimpleSAML_Auth_Simple('default-sp');  

 

if ($auth->isAuthenticated() == FALSE) {

    $as->requireAuth(array('ReturnTo' => "http://test.domain.ext/test.php")); 

} else {

   $attributes = $as->getAttributes(); 

   print_r($attributes); 

}

Note: the /nfs/simplesamlphp is the directory on saml.domain1.ext!

Problem:

When the user is not authenticated, the test.php sends a redirection to the saml-subdomain, when I select the identity provider (for example: Feide OpenId) and 'select/submit' it, the page is being redirect to the same page. 

Is this a configuration mistake, or am I misunderstanding something?

[Peter Schober]

* Youri van den Bogert <yvdb...@archixl.nl> [2014-02-14 15:58]:

> When the user is not authenticated, the test.php sends a redirection to the
> saml-subdomain, when I select the identity provider (for example: Feide
> OpenId) and 'select/submit' it, the page is being redirect to the same
> page.
>
> Is this a configuration mistake, or am I misunderstanding something?

From what you wrote it seems you're sharing the SimpleSAMLphp instance
configured as your IDP with another host where you expect it to
(magically?) act as an SP? If so I think that cannot work.

Others may have suggestions on reusing a single software install
across other machines but I've never done this. At the very least
they'd all need their own configuration directory.
If in doubt, follow the documenatation and give each IDP and each SP
it's own copy of the software (and configuration).
-peter

[Youri van den Bogert]

Im just trying to use the SSO outside the saml.domain.c..

Op vrijdag 14 februari 2014 16:21:27 UTC+1 schreef Peter Schober:

[Peter Schober]

* Youri van den Bogert <yvdb...@archixl.nl> [2014-02-16 19:45]:

> Im just trying to use the SSO outside the saml.domain.c..

Not sure whether this was meant to provide further information?
-peter

[Youri van den Bogert]

Configuration setup:

Server 1 (saml.domain.ext):

Running SimpleSamlPHP as a SP (working directory /var/simplesamlphp)

Authsources: 

$config = array(
  'default-sp' => array(
     'saml:SP',
     'idp' => 'https://openidp.feide.no'
  );
);

Server 2:

Simple test script

/var/simplesamlphp (is a NFS of Server 1/var/simplesamlphp)

Test script:

<?php
require_once ('/home/youri/sharedsaml/lib/_autoload.php');

$as = new SimpleSAML_Auth_Simple('default-sp');

if ($as->isAuthenticated() == false) {
   $as->requireAuth(array(
      'ReturnTo' => 'http://server2.domain.ext/test.php'
   ));
   ));
}
print_r($as->getAttributes());

Problem (seen from saml.domain.ext/module.php/saml/sp/saml2-acs.php/default-sp)  

SimpleSAML_Error_NoState: NOSTATE
Backtrace:
2 /var/simplesamlphp/lib/SimpleSAML/Auth/State.php:232 (SimpleSAML_Auth_State::loadState)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:54 (require) 
0 /var/simplesamlphp/www/module.php:135 (N/A) 

I thought this was a cookie issue, so I changed the cookie domain to .domain.ext. But that didn't solve the issue. My next guess it has to do something with sessions (since I use separated servers..) 

Op zondag 16 februari 2014 23:31:51 UTC+1 schreef Peter Schober: