enabling artifacts on the SimpleSAMLphp IDP

[Gert Corthout]

hello all,

I am using the simpleSAMLphp idp to test my own SP implementation. The redirect and post singlesignon work fine. I need my sp to support artifact resolution as well.

So I followed the steps detailed here:
SimpleSAMLphp Documentation

I got the memcached extension active, ran the memcached server, I changed the store.type in config.php to memcache.
I updated the saml20-idp-hosted.php and saml20-sp-remote.php files as described in the documentation.

But when I try to access the idp metadata it throws an error:

SimpleSAML\Error\Error: METADATA
Backtrace: 1 modules\saml\src\Controller\Metadata.php:119 (SimpleSAML\Module\saml\Controller\Metadata::metadata) 0 public\saml2\idp\metadata.php:23 (N/A) Caused by: Exception: Missing default binding for ArtifactResolutionService in saml20-idp-hosted Backtrace: 4 src\SimpleSAML\Configuration.php:1188 (SimpleSAML\Configuration::getDefaultBinding) 3 src\SimpleSAML\Configuration.php:1245 (SimpleSAML\Configuration::getEndpoints) 2 src\SimpleSAML\Metadata\SAMLBuilder.php:561 (SimpleSAML\Metadata\SAMLBuilder::addMetadataIdP20) 1 modules\saml\src\Controller\Metadata.php:93 (SimpleSAML\Module\saml\Controller\Metadata::metadata) 0 public\saml2\idp\metadata.php:23 (N/A)

This seems to suggest I need to add the ArtifactResolutionService config to the saml20-idp-hosted.php file, but if I add this:
'ArtifactResolutionService' => [ [ 'index' => 0, 'Location' => 'http://localhost/simplesaml/saml2/idp/ArtifactResolutionService.php', 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP', ], ],

it still fails with the same error. I am not sure what I'm doing wrong here.
My saml20-idp-hosted.php for reference:
<?php

/**
 * SAML 2.0 IdP configuration for SimpleSAMLphp.
 *
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
 */

$metadata['http://localhost/simplesaml/saml2/idp/metadata.php'] = [
    /*
     * The hostname of the server (VHOST) that will use this SAML entity.
     *
     * Can be '__DEFAULT__', to use this entry by default.
     */
    'host' => 'localhost',

    // X.509 key and certificate. Relative to the cert directory.
    'privatekey' => 'idp-signing.key',
    'certificate' => 'idp-signing.crt',

    /*
     * Authentication source to use. Must be one that is configured in
     * 'config/authsources.php'.
     */
    'auth' => 'example-userpass',
    'saml20.sendartifact' => true,
    'https.certificate' => 'jetty.crt',

    /* Uncomment the following to use the uri NameFormat on attributes. */
    'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
    'authproc' => [
        // Convert LDAP names to oids.
        100 => ['class' => 'core:AttributeMap', 'name2oid'],
    ],

    'SingleSignOnServiceBinding' => array(
        0 => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        1 => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
    ),

    /*
     * Uncomment the following to specify the registration information in the
     * exported metadata. Refer to:
     * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html
     * for more information.
     */
    /*
    'RegistrationInfo' => [
        'authority' => 'urn:mace:example.org',
        'instant' => '2008-01-17T11:28:03Z',
        'policies' => [
            'en' => 'http://example.org/policy',
            'es' => 'http://example.org/politica',
        ],
    ],
    */
];

[Tim van Dijen]

Hi Gert!

>  This seems to suggest I need to add the ArtifactResolutionService config to the saml20-idp-hosted.php file, but if I add this:

'ArtifactResolutionService' => [ [ 'index' => 0, 'Location' => 'http://localhost/simplesaml/saml2/idp/ArtifactResolutionService.php', 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP', ], ],

Yes, this is correct, but I believe the Binding should be set to `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact` instead.

- Tim

Op dinsdag 22 oktober 2024 om 23:51:20 UTC+2 schreef gert.c...@gmail.com:

[Gert Corthout]

hello Tim,

thank you for your suggestion but unfortunately it doesn't solve the problem. 

Also in SAML 2.0 ArtifactResolutionService should always have  urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding I think.

It is the AssertionConsumerService in the metadata that the SP exports that can use the  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact binding if it supports it.

The error message also seems weird to me as the documentation doesn't show ArtifactResolutionService as configurable:
SimpleSAMLphp Documentation

If anyone has any ideas I'd love to hear them!

kind regards,

Gert

Op woensdag 23 oktober 2024 om 10:00:14 UTC+2 schreef Tim van Dijen:

[Tim van Dijen]

Hmm, I suspect maybe this change is the culprit:  https://github.com/simplesamlphp/simplesamlphp/commit/b5c4744d09fc38c532a492f4ab56632a186ff402

The replacement-code seems unaware of the SOAP-binding..

Op donderdag 24 oktober 2024 om 00:53:37 UTC+2 schreef gert.c...@gmail.com:

[Gert Corthout]

Yes that's probably a bug.
I managed to finish my testing with the artifact, turns out everything works fine it's just the metadata generation that threw an error. I needed that to get the artifact resolution endpoint on the idp, but apparently copilot also knows where it is so I could get by with this workaround.

Op donderdag 24 oktober 2024 om 10:10:02 UTC+2 schreef Tim van Dijen: