IDP initialed SSO which will send SAML assertion to SP using HTTP POST - Not Working

[Arefin Hossain]

I have setup SSP IDP for my organization and everything is working fine for SP initiated SSO. We have a new request to configure a SP for SSO that only supports IDP initiated SSO and SAML assertion needs to be sent to the SP using HTTP POST after user is authenticated but for some reason I cannot make it to work.

I have sent our IDP metadata to the engineer who configures the SP and he told me that he imported Our Cert to their SP . Also , I asked for the SP metadata from him and Imported it to saml20-sp-remote.php file in our IDP.  Following the SP metadata that I inserted in saml20-sp-remote.php file.

$metadata['https://< --SP_BaseURL -->'] = array (

  'entityid' => 'https://< --SP_BaseURL -->',

  'contacts' => 

  array (

  ),

  'metadata-set' => 'saml20-sp-remote',

  'AssertionConsumerService' => 

  array (

    0 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:1.1:bindings:HTTP-POST',

      'Location' => 'https://< --SP_BaseURL -->/SAMLRedirector/ClientSAMLLogin.aspx',

      'index' => 1,

    ),

  ),

  'SingleLogoutService' => 

  array (

  ),

  'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-

format:emailAddress',

  'validate.authnrequest' => false,

  'saml20.sign.assertion' => true,

);

Per section 11 A in SimpleSAMLphp documentation , https://simplesamlphp.org/docs/1.14/simplesamlphp-idp#section_11, when I am trying to access the SP I am getting the error below.

https://< -- IDP_Base_URL --> /simplesaml/saml2/idp/SSOService.php?spentityid=https://< --SP_BaseURL -->

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 /SSO/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: saml20-sp-remote/'https://< --SP_BaseURL -->'['AssertionConsumerService']:Could not find a supported AssertionConsumerService endpoint.
Backtrace:
3 /SSO/simplesamlphp/lib/SimpleSAML/Configuration.php:1141 (SimpleSAML_Configuration::getDefaultEndpoint)
2 /SSO/simplesamlphp/modules/saml/lib/IdP/SAML2.php:218 (sspmod_saml_IdP_SAML2::getAssertionConsumerService)
1 /SSO/simplesamlphp/modules/saml/lib/IdP/SAML2.php:347 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /SSO/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)

Any kind of help would be highly appropriated.

[Peter Schober]

* Arefin Hossain <arefin....@gmail.com> [2018-11-02 16:08]:

> I have setup SSP IDP for my organization and everything is working fine for
> SP initiated SSO. We have a new request to configure a SP for SSO that only
> supports IDP initiated SSO and SAML assertion needs to be sent to the SP
> using HTTP POST after user is authenticated but for some reason I cannot
> make it to work.

JFYI, SimpleSAMLphp supports IDP-initiated SSO out of the box without
extra configuration. Same with sending the SAML Response via HTTP-POST
binding, which is the only allowed binding from the commonly used
ones. (I.e., HTTP-Redirect cannot be used for reponses).

So that should all be default and should all Just Work.

> Following the SP metadata that I inserted in saml20-sp-remote.php file.

[...]

> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:1.1:bindings:HTTP-POST',

Note that you put it into saml20-sp-remote.php but that the binding
above is for SAML1. So which one is it? A SAML1-only SP? Or does it
support the SAML2 protocol (which it really should, as SAML2 is now 13
years old)?

> Caused by: Exception:
> saml20-sp-remote/'https://...'['AssertionConsumerService']:Could not

> find a supported AssertionConsumerService endpoint.

Well, the SP listed has not a single SAML2 endpoint in its metadata.

-peter

[Arefin Hossain]

Thanks Peter. I have sent an email to the engineer who works on the SP side asked about if their SP supports both SAML 1 and SAML 2 or Just SAML1 ? Waiting for his reply.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/1mVqaRSRB7M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Peter Schober]

* Arefin Hossain <arefin....@gmail.com> [2018-11-02 18:11]:

> Thanks Peter. I have sent an email to the engineer who works on the SP side
> asked about if their SP supports both SAML 1 and SAML 2 or Just SAML1 ?
> Waiting for his reply.

Meanwhile you can try moving the SimpleSAMLphp metadata you came up
with to shib13-sp-remote.php instead and see how that changes things.

(Being SAML1-only would at least explain why they would insist on
IDP-initiated, as only SAML2 introduced the authentication request
protocol.)

-peter

[Arefin Hossain]

I moved the metadata from saml20-sp-remote.php to shib13-sp-remote.php and following is happening. 

When I am trying with : https://<--IDP_BASE_URL-->/simplesaml/saml2/idp/SSOService.php?spentityid=https:// <--SP_BASE_URL-- > , getting error below.

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'https:// <--SP_BASE_URL--  \'')

Backtrace:
3 /SSO/simplesamlphp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:305 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 /SSO/simplesamlphp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:325 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 /SSO/simplesamlphp/modules/saml/lib/IdP/SAML2.php:255 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /SSO/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)

When I am trying with : https://<--IDP_BASE_URL-->/simplesaml/shib13/idp/SSOService.php?spentityid=https://www.concursolutions.com , getting error below.

SimpleSAML_Error_BadRequest: BADREQUEST('%REASON%' => 'Missing providerId parameter.')
Backtrace:
1 /SSO/simplesamlphp/modules/saml/lib/IdP/SAML1.php:77 (sspmod_saml_IdP_SAML1::receiveAuthnRequest)
0 /SSO/simplesamlphp/www/shib13/idp/SSOService.php:18 (N/A)

shib13-sp-remote.php

$metadata['https://sp.shiblab.feide.no'] = array(
	'AssertionConsumerService' => 'http://sp.shiblab.feide.no/Shibboleth.sso/SAML/POST',
	'audience'                 => 'urn:mace:feide:shiblab',
	'base64attributes'         => FALSE,
);


$metadata['https://< -- SP_BASE_URL -->'] = array (
  'entityid' => 'https://<--SP_BASE_URL-->',
  'contacts' => 
  array (
  ),
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:1.1:bindings:HTTP-POST',
      'Location' => 'https://<--SP_BASE_URL-->/SAMLRedirector/ClientSAMLLogin.aspx',
      'index' => 1,
    ),
  ),
  'SingleLogoutService' => 
  array (
  ),
  'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress',
  'validate.authnrequest' => false,
  'saml20.sign.assertion' => true,
);

Do I need to make any changes in config file for shib13-sp-remote.php file to be read by SimpleSAMLphp IDP ?  Also, the format of the metadata in shib13-sp-remote.php looks different than saml20-sp-remote.php . Do I need to use any metadata converter?

Thanks.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---

You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

[pat...@cirrusidentity.com]

>       'Binding' => 'urn:oasis:names:tc:SAML:1.1:bindings:HTTP-POST',

As Peter pointed out, that looks wrong. For SAML 2 it should be 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'

> Also, the format of the metadata in shib13-sp-remote.php looks different than saml20-sp-remote.php . Do I need to use any metadata converter?

Probably. You should use metadata-converter and it will convert the metadata to the appropriate format. If the SP metadata supports both SAML 1 and SAML 2 then metadata converter will product two different arrays, one for each of the respective files.

If you need to do IdP initiated from the Saml 1 SSOService endpoint then the query params are different. 

providerId = sp entity id

- Patrick

[Arefin Hossain]

Hello Patrick,

Thanks for the information.  I indeed used SSP metadata converter and it created only one array for SAML1. Looks like the SP only supports SAML1. I am still waiting on SP team to get back to me about if they support both SAML 1 and SAML2 or Just SAML1 assertion from IDP. 

--

[Patrick Radtke]

Well your screen shot indicates the metadata-converter is trying to create SAML2 config from the metadata not SAML1.

If you look at your xml file you can see a line like:

  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

which indicates the SAML protocols supported.

I looked in the InCommon metadata feed and not one of the thousands of SPs lists

'urn:oasis:names:tc:SAML:1.1:bindings:HTTP-POST' as a binding.

I take that as a sign that the xml provided to you has some typos.

- Patrick

You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/1mVqaRSRB7M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Patrick Radtke
CTO
Cirrus Identity

[Arefin Hossain]

You are correct. I am able to fix the issue by changing the line manually in metadata from "'Binding' => 'urn:oasis:names:tc:SAML:1.1:bindings:HTTP-POST'"  to 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'. It is working now.

Thanks a lot both you and Peter.