First simpleSAMLphp installation and first SimpleSAML_Error_NoState: NOSTATE

1,736 views
Skip to first unread message

Rémy

unread,
Nov 13, 2013, 3:22:38 AM11/13/13
to simple...@googlegroups.com
Hello everyone.

It's been three days now I struggle with simpleSAMLphp

Scenario :

I have an eZ Publish site that contains the users
I have another site under elgg must use the same SSO users

Objectives :
  • [1] Make eZ publish an identity provider.
  • [2] Make elgg an service provider.
  • [3] Make eZ publish an service provider.

Step [1]

======== authsources.php
$config = array(
    'ezpublish-MyClient-IDP' => array(
        'ezpublish:MyClient', // ezpublish
    ),

======== modules/ezpublish/lib/Auth/Source/MyClient.php
class sspmod_ezpublish_Auth_Source_MyClient extends sspmod_core_Auth_UserPassBase 
{
    protected function login($username, $password) 
    {
        $r = my_magic_function($username, $password);
        return array(
                        'uid' => array($r['login']),
                        'name' => array($r['name']),
                        'displayName' => array($r['name']),
                        'email' => array($r['email']),
                        'groups' => array($r['groups']),
                        'roles' => array($r['roles']),
                        );
    }
}

Testing :
it works.
I can connect with my eZ Publish username/password

Step [2]

simpleSAMLphp config
======== authsources.php
$config = array(
// 
    'elgg-MyClient-SP' => array(
        'saml:SP',
    ),

======== saml20-idp-remote.php
                'metadata-set' => 'saml20-idp-remote',
                'SingleSignOnService' =>
                array (
                                0 =>
                                array (
                                                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                                                'Location' => 'http://simplesamlphp.MyClient.srv-devez01.MyCompany.fr/simplesaml/saml2/idp/SSOService.php',
                                ),
                ),
                'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);

======== saml20-sp-remote.php
  'AssertionConsumerService' => 
  array (
    0 => 
    array (
      'index' => 0,
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
    ),
    1 => 
    array (
      'index' => 1,
      'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
    ),
    2 => 
    array (
      'index' => 2,
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
    ),
    3 => 
    array (
      'index' => 3,
      'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
    ),
  ),
);

Testing config 

it works.
I can connect with my eZ Publish username/password

Configuring elgg

I use saml_login module for elgg

He asked me three parameters

Path of the SimpleSAMLPHP environment : /var/www/sp/simplesamlphp 
The SP auth source you want to connect to elgg : elgg-MyClient-SP
The attribute whose value uniquely identifies a user object : uid

Testing Elgg 

In the login form I have the SAML login button.
On click I have the SAML login form.
I entered my login/password

SimpleSAML_Error_NoState: NOSTATE
Backtrace:
2 /var/www/html/sites/MyClient/simplesamlphp/lib/SimpleSAML/Auth/State.php:236 (SimpleSAML_Auth_State::loadState)
1 /var/www/html/sites/MyClient/simplesamlphp/modules/saml/www/sp/saml2-acs.php:54 (require)
0 /var/www/html/sites/MyClient/simplesamlphp/www/module.php:135 (N/A)

What can I do?


I try to change session settings in vhost of each of my sites : 

======== /etc/apache2/sites-available/ez.MyClient.srv-devez01.MyCompany.fr
php_value session.cookie_domain .MyClient.srv-devez01.MyCompany.fr
php_value session.name MyClientSESSid

======== /etc/apache2/sites-available/elgg.MyClient.srv-devez01.MyCompany.fr
php_value session.cookie_domain .MyClient.srv-devez01.MyCompany.fr
php_value session.name MyClientSESSid

======== /etc/apache2/sites-available/simpleSAMLphp.MyClient.srv-devez01.MyCompany.fr
php_value session.cookie_domain .MyClient.srv-devez01.MyCompany.fr
php_value session.name MyClientSESSid

ditto in the simpleSAMLphp configuration file 
======== config/config.php
'session.cookie.name' => 'MyClientSESSid',
'session.cookie.domain' => '.MyClient.srv-devez01.MyCompany.fr',

But nothing works

Rémy

unread,
Nov 13, 2013, 12:03:26 PM11/13/13
to simple...@googlegroups.com
Here is the debug I get with Chrome

(I replaced the values ​​SAMLRequest by its length.)

=======================================================================================
  1. Request URL:
  2. Request Method:
    GET
  3. Status Code:
    302 Found
  4. Request Headers
    1. Accept:
      text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    2. Accept-Encoding:
      gzip,deflate,sdch
    3. Accept-Language:
      fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
    4. Connection:
      keep-alive
    5. Cookie:
      Elgg=d84a3fceef2590051f97b7d1329865dc; MyClientSESSid=b8ff84bf7eb4d6d08e4c9d19d4ad14d8; SimpleSAMLAuthToken=_d9acf80df1f148a2c60cb81277d7e7250c0c53cab2
    6. DNT:
      1
    7. Host:
    8. Referer:
    9. User-Agent:
      Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
  5. Query String Parameters
    1. saml_login:
      true
  6. Response Headers
    1. Cache-Control:
      no-cache, must-revalidate
    2. Connection:
      Keep-Alive
    3. Content-Encoding:
      gzip
    4. Content-Length:
      890
    5. Content-Type:
      text/html
    6. Date:
      Wed, 13 Nov 2013 16:35:51 GMT
    7. Expires:
      Thu, 19 Nov 1981 08:52:00 GMT
    8. Keep-Alive:
      timeout=15, max=96
    9. Location:
    10. Pragma:
      no-cache
    11. Server:
      Apache/2.2.16 (Debian)
    12. Vary:
      Accept-Encoding
    13. X-Powered-By:
      PHP/5.3.3-7+squeeze17

=======================================================================================
  1. Request URL:
  2. Request Method:
    GET
  3. Status Code:
    200 OK
  4. Request Headers
    1. Accept:
      text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    2. Accept-Encoding:
      gzip,deflate,sdch
    3. Accept-Language:
      fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
    4. Connection:
      keep-alive
    5. Cookie:
      idpdisco_saml_lastidp=http%3A%2F%2Fsimplesamlphp.MyClient.srv-devez01.MyCompagny.fr%2Fsimplesaml%2Fsaml2%2Fidp%2Fmetadata.php; idpdisco_saml_remember=0; Elgg=d84a3fceef2590051f97b7d1329865dc; MyClientSESSid=b8ff84bf7eb4d6d08e4c9d19d4ad14d8; SimpleSAMLAuthToken=_d9acf80df1f148a2c60cb81277d7e7250c0c53cab2
    6. DNT:
      1
    7. Host:
    8. Referer:
    9. User-Agent:
      Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
  5. Query String Parameters
    1. SAMLRequest:
      515CHAR
    2. RelayState:
  6. Response Headers
    1. Cache-Control:
      no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    2. Connection:
      Keep-Alive
    3. Content-Encoding:
      gzip
    4. Content-Length:
      5105
    5. Content-Type:
      text/html
    6. Date:
      Wed, 13 Nov 2013 16:35:51 GMT
    7. Expires:
      Thu, 19 Nov 1981 08:52:00 GMT
    8. Keep-Alive:
      timeout=15, max=100
    9. Pragma:
      no-cache
    10. Server:
      Apache/2.2.16 (Debian)
    11. Vary:
      Accept-Encoding
    12. X-Powered-By:
      PHP/5.3.3-7+squeeze17

=======================================================================================
  1. Request URL:
  2. Request Method:
    POST
  3. Status Code:
    500 Internal Server Error
  4. Request Headers
    1. Accept:
      text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    2. Accept-Encoding:
      gzip,deflate,sdch
    3. Accept-Language:
      fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
    4. Connection:
      keep-alive
    5. Content-Length:
      9400
    6. Content-Type:
      application/x-www-form-urlencoded
    7. Cookie:
      idpdisco_saml_lastidp=http%3A%2F%2Fsimplesamlphp.MyClient.srv-devez01.MyCompagny.fr%2Fsimplesaml%2Fsaml2%2Fidp%2Fmetadata.php; idpdisco_saml_remember=0; Elgg=d84a3fceef2590051f97b7d1329865dc; MyClientSESSid=b8ff84bf7eb4d6d08e4c9d19d4ad14d8; SimpleSAMLAuthToken=_d9acf80df1f148a2c60cb81277d7e7250c0c53cab2
    8. DNT:
      1
    9. Host:
    10. Origin:
    11. Referer:
    12. User-Agent:
      Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
  5. Form Data
    1. SAMLResponse: 9224CHAR
    2. RelayState:
  6. Response Headers
    1. Cache-Control:
      no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    2. Connection:
      close
    3. Content-Encoding:
      gzip
    4. Content-Length:
      1830
    5. Content-Type:
      text/html
    6. Date:
      Wed, 13 Nov 2013 16:35:52 GMT
    7. Expires:
      Thu, 19 Nov 1981 08:52:00 GMT
    8. Pragma:
      no-cache
    9. Server:
      Apache/2.2.16 (Debian)
    10. Vary:
      Accept-Encoding
    11. X-Frame-Options:
      SAMEORIGIN
    12. X-Powered-By:
      PHP/5.3.3-7+squeeze17

Sixto Martin

unread,
Nov 13, 2013, 2:22:26 PM11/13/13
to simple...@googlegroups.com

Maybe you are in a conflict session issue.

Try to configure your simplesamphp to handle sessions using memcache.

Read the last part of this document to know how to do that:
https://github.com/pitbulk/dokuwiki-saml/blob/master/README.md

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.

"José A. Accino"

unread,
Nov 13, 2013, 4:17:06 PM11/13/13
to simple...@googlegroups.com
Hi, Sixto,

does this mean that those odd issues on DW SAML plugin we talk about
weeks ago are now solved?

Regards,
JA.

El 13/11/13 20:22, Sixto Martin escribi�:
> Maybe you are in a conflict session issue.
>
> Try to configure your simplesamphp to handle sessions using memcache.
>
> Read the last part of this document to know how to do that:
> https://github.com/pitbulk/dokuwiki-saml/blob/master/README.md
>
> El 13/11/2013 18:03, "R�my" <limouz...@gmail.com
> <mailto:limouz...@gmail.com>> escribi�:
>
> Here is the debug I get with Chrome
> <https://lh4.googleusercontent.com/--OV_VjtRi_8/UoOu9KhIv_I/AAAAAAAABvU/P2t84gL--iE/s1600/ChromeDebug.PNG>
> ...


--
Jos� Alfonso Accino
Central IT Services
University of M�laga -Spain-

Sixto Martin

unread,
Nov 13, 2013, 11:10:28 PM11/13/13
to simple...@googlegroups.com

Hi Jose,

the problem with the DW is still there. Is related to how initiate the user session on DW.
I hope to have some spare time soon to make it work.

El 13/11/2013 22:17, José A. Accino <acc...@uma.es> escribió:
Hi, Sixto,

does this mean that those odd issues on DW SAML plugin we talk about
weeks ago are now solved?

Regards,
JA.

El 13/11/13 20:22, Sixto Martin escribió:

> Maybe you are in a conflict session issue.
>
> Try to configure your simplesamphp to handle sessions using memcache.
>
> Read the last part of this document to know how to do that:
> https://github.com/pitbulk/dokuwiki-saml/blob/master/README.md
>
> El 13/11/2013 18:03, "Rémy" <limouz...@gmail.com
> <mailto:limouz...@gmail.com>> escribió:

>
>     Here is the debug I get with Chrome
>     <https://lh4.googleusercontent.com/--OV_VjtRi_8/UoOu9KhIv_I/AAAAAAAABvU/P2t84gL--iE/s1600/ChromeDebug.PNG>
>     ...


--
José Alfonso Accino
Central IT Services
University of Málaga -Spain-

Rémy

unread,
Nov 14, 2013, 4:55:10 AM11/14/13
to simple...@googlegroups.com
Hello Mr. Sixto,

Try to configure my simpleSAMLphp to handle sessions using memcache.

======== config/config.php
$config = array (
//...
'store.type' => 'phpsession',
'memcache_store.servers' => array(
array(
array('hostname' => 'localhost'),
),
),
//...
);

But simpleSAMLphp began to loop : 


=======================================================================================

    1. Request URL:
    2. Request Method:
      GET
    3. Status Code:
      302 Found
    4. Request Headers
      1. Cookie:
        Elgg=335e2f5b25321d0f7ebb5eba469dd009; MyClientSESSid=593155f41659399e9012691d3b990c02
      1. Query String Parameters
      1. saml_login:
        true
    1. Response Headers
      1. Location:

    =======================================================================================

    Request URL:
      1. Request Method:
        GET
      2. Status Code:
        302 Found
      3. Request Headers
        1. Cookie:
          idpdisco_saml_lastidp=http%3A%2F%2Fsimplesamlphp.MyClient.srv-devez01.MyCompagny.fr%2Fsimplesaml%2Fsaml2%2Fidp%2Fmetadata.php; idpdisco_saml_remember=0; Elgg=335e2f5b25321d0f7ebb5eba469dd009; MyClientSESSid=593155f41659399e9012691d3b990c02
        1. Query String Parameters
          1. SAMLRequest:
            A
          2. RelayState:
        2. Response Headers
          1. Location:

        ======================================================================================= LOOP START

        1. Request URL:
        1. Request Method:
          GET
        2. Status Code:
          302 Found
        3. Request Headers
          1. Cookie:
            idpdisco_saml_lastidp=http%3A%2F%2Fsimplesamlphp.MyClient.srv-devez01.MyCompagny.fr%2Fsimplesaml%2Fsaml2%2Fidp%2Fmetadata.php; idpdisco_saml_remember=0; Elgg=335e2f5b25321d0f7ebb5eba469dd009; MyClientSESSid=593155f41659399e9012691d3b990c02

          1. Query String Parameters
            1. AuthState:
          2. Response Headers
            1. Location:

          =======================================================================================
          1. Request Method:
            GET
          2. Status Code:
            302 Found
          3. Request Headers
            1. Cookie:
              idpdisco_saml_lastidp=http%3A%2F%2Fsimplesamlphp.MyClient.srv-devez01.MyCompagny.fr%2Fsimplesaml%2Fsaml2%2Fidp%2Fmetadata.php; idpdisco_saml_remember=0; Elgg=335e2f5b25321d0f7ebb5eba469dd009; MyClientSESSid=593155f41659399e9012691d3b990c02

          Sixto Martin

          unread,
          Nov 15, 2013, 2:58:00 AM11/15/13
          to simple...@googlegroups.com

          Did you installed memchached server and its php driver? Did you restarted your apache server?

          --

          Rémy

          unread,
          Nov 15, 2013, 4:43:55 AM11/15/13
          to simple...@googlegroups.com
          Apparently, no. ^^'

          Do I have to install the memcached server + PECL memcache module (or memcached) for PHP.
          Or, I need simply activate the module mem_cache Apache2 module ?

          Sixto Martin

          unread,
          Nov 15, 2013, 5:06:37 AM11/15/13
          to simple...@googlegroups.com
          memcached server + PECL memcache module (or memcached) for PHP  [I can't remember if you need the pecl memcache or the memcached for the php client, try both ;) ).

          Then restart the apache service.

          Also take a look on the php logs.


          2013/11/15 Rémy <limouz...@gmail.com>
          --
          You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
          To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
          To post to this group, send email to simple...@googlegroups.com.
          Visit this group at http://groups.google.com/group/simplesamlphp.
          For more options, visit https://groups.google.com/groups/opt_out.



          --
          Sixto Pablo Martín García
          Ingeniero Informático
          Yaco Sistemas SL
          Teléfono +34 954 50 00 57
          C/Rioja 5-1ª Planta
          41001 Sevilla

          Rémy

          unread,
          Nov 15, 2013, 6:21:39 AM11/15/13
          to simple...@googlegroups.com
          Ok. 

          I installed Memcache

          $ sudo apt-get install memcached
          $ sudo /etc/init.d/memcached start

          And memcache PHP PECL module

          $ sudo pecl install memcache

          Enable it in php.ini

          $ sudo vim /etc/php5/apache2/php.ini

          extension=memcache.so


          I reset my simpleSAMLphp setup and I reactivated the memcache session.

          And unfortunately, I found a SimpleSAML_Error_NoState: NOSTATE


          ===============================================================================
          Requête
          Cookie: Elgg=6e83371d10a5f1a25ada0d50d1de568d

          Réponse
          // The elgg login page with "UNIQUID" (SAML login) button.

          ===============================================================================
          Requête
          GET /saml_login?saml_login=true HTTP/1.1 
          Cookie: Elgg=6e83371d10a5f1a25ada0d50d1de568d 

          Request params:
          saml_login =true

          Réponse
          Set-Cookie: SimpleSAMLSessionID=91a5480fcef8a8c0ab3eec41bb1ca7a1; path=/; httponly 

          ===============================================================================
          Requête
          GET /simplesaml/saml2/idp/SSOService.php?SAMLRequest=A&RelayState=http%3A%2F%2Felgg.MyClient.srv-devez01.MyCompany.fr%2Fsaml_login%3Fsaml_login%3Dtrue HTTP/1.1
          Cookie: Elgg=6e83371d10a5f1a25ada0d50d1de568d 
            
          Request params:
          SAMLRequest = A

          Réponse
          Set-Cookie: SimpleSAMLSessionID=a074def3be1618208da2d09518842055; path=/; httponly 

          ===============================================================================
          Requête
          GET /simplesaml/module.php/core/loginuserpass.php?AuthState=_97ff3a59ca16b33f6c205dd2b12f275bf53001d343%3Ahttp%3A%2F%2Fsimplesamlphp.MyClient.srv-devez01.MyCompany.fr%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttp%253A%252F%252Felgg.MyClient.srv-devez01.MyCompany.fr%26cookieTime%3D1384509940%26RelayState%3Dhttp%253A%252F%252Felgg.MyClient.srv-devez01.MyCompany.fr%252Fsaml_login%253Fsaml_login%253Dtrue HTTP/1.1 Host: simplesamlphp.MyClient.srv-devez01.MyCompany.fr Cookie: Elgg=6e83371d10a5f1a25ada0d50d1de568d; SimpleSAMLSessionID=a074def3be1618208da2d09518842055 

          Request params:

          Réponse
          // simpleSAMLphp login page with form.

          ===============================================================================
          Requête
          POST /simplesaml/module.php/core/loginuserpass.php? HTTP/1.1 Host: simplesamlphp.MyClient.srv-devez01.MyCompany.fr Cookie: Elgg=6e83371d10a5f1a25ada0d50d1de568d; SimpleSAMLSessionID=a074def3be1618208da2d09518842055 

          Request POST params:
          password = jhon
          username = pass

          Réponse
          Set-Cookie: SimpleSAMLAuthToken=_6137cac52f19f42870ab8bc62a95331df33c639e45; path=/; httponly 

          ===============================================================================
          Requête
          POST /simplesaml/module.php/saml/sp/saml2-acs.php/elgg-MyClient-SP HTTP/1.1 Host: simplesamlphp.MyClient.srv-devez01.MyCompany.fr Cookie: Elgg=6e83371d10a5f1a25ada0d50d1de568d; SimpleSAMLSessionID=a074def3be1618208da2d09518842055; SimpleSAMLAuthToken=_6137cac52f19f42870ab8bc62a95331df33c639e45 

          Request POST params:
          SAMLResponse = BIG_string

          Réponse
          // simpleSAMLphp  error page.

          Rémy

          unread,
          Nov 15, 2013, 6:30:16 AM11/15/13
          to simple...@googlegroups.com
          Note : simpleSAMLphp use Memcache php lib.

          ===== simpleSAMLphp/lib/SimpleSAML/Memcache.php ~ L.257
          /* Create the Memcache object. */
          $memcache = new Memcache();

          But absolutely nothing log in error.simplesamlphp.log

          Rémy

          unread,
          Nov 15, 2013, 8:45:16 AM11/15/13
          to simple...@googlegroups.com
          I think it works!!

          I go well on my elgg site after I identified but I have this message: "Not username provided by the IdP and is a must"

          Sixto Martin

          unread,
          Nov 15, 2013, 2:04:01 PM11/15/13
          to simple...@googlegroups.com

          Now you have a mapping issue, configure the elgg plugin to get the correct "username" field.

          El 15/11/2013 14:45, "Rémy" <limouz...@gmail.com> escribió:
          I think it works!!

          I go well on my elgg site after I identified but I have this message: "Not username provided by the IdP and is a must"

          Rémy

          unread,
          Nov 18, 2013, 5:23:08 AM11/18/13
          to simple...@googlegroups.com
          yatta !!!!!!!!!!!!!


          ======== saml20-idp-hosted.php
          $metadata['__DYNAMIC:1__'] = array(
          'host' => '__DEFAULT__',
          'privatekey' => 'server.pem',
          'certificate' => 'server.crt',
          'auth' => 'ezpublish-MyClient-IDP',
          'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', // default value
          // 'authproc' => array(
          // // Convert LDAP names to oids.
          // 100 => array('class' => 'core:AttributeMap', 'name2oid'),
          // ),
          );

          I was able to connect to my elgg site using my eZ Publish identifiers. My elgg account has been was automatically created. 
          I still have some problems to settle. Since the user name does not register.
          It also requires that I take care of authentication in eZ Publish. And I test the SSO part.

          In any case a big thank you for your help.

          I hope I can publish a full article on my work and, perhaps a proper simpleSAMLphp module for eZ Publish IDP.

          Rémy

          unread,
          Nov 19, 2013, 9:24:04 AM11/19/13
          to simple...@googlegroups.com
          I keep asking my question here even if my current problem has very little to do.

          To summarize what I've done until now.

          At first, I install simpleSAMLphp.

          <VirtualHost *:80>
                  DocumentRoot /var/www/html/sites/MyClient/simplesamlphp/www/
                  Alias /simplesaml /var/www/html/sites/MyClient/simplesamlphp/www/
                  <Directory "/var/www/html/sites/MyClient/simplesamlphp/www/">
                          AllowOverride All
                  </Directory>
          </VirtualHost>


          ======= config/config.php
          <?php
          require dirname(__FILE__).'/../config-templates/config.php';
          $config = array_merge( $config, array (
          'auth.adminpassword' => '*************',
          'secretsalt' => '************',
          'technicalcontact_name'     => 'Administrator',
          'technicalcontact_email'    => 'supp...@MyCompany.fr',
          'timezone' => 'Europe/Paris',
          'enable.saml20-idp' => true,

          'store.type' => 'memcache',
          'memcache_store.servers' => array(
          array(
          array('hostname' => 'localhost'),
          ),
          ),
          ));

          I use memcache to avoid conflicts session may lead to loss of status.

          I created an IDP based on the basis of user in my site ez

          ======= authsources.php
          $config = array(
              'ezpublish-MyClient-IDP' => array(
                  'ezpublish:MyClient', // => modules/ezpublish/lib/Auth/Source/MyClient.php
              ),

          ======= modules/ezpublish/lib/Auth/Source/MyClient.php
          class sspmod_ezpublish_Auth_Source_MyClient extends sspmod_core_Auth_UserPassBase 
          {
              protected function login($username, $password) 
              {
          $r = une_function_a_ameliorer($username, $password);
                  return array(
                                  'uid' => array($r['login']),
                                  'name' => array($r['name']),
                                  'displayName' => array($r['name']),
                                  'email' => array($r['email']),
                                  'mail' => array($r['email']), // elgg simple_saml
                                  'groups' => $r['groups'],
                                  'roles' => $r['roles'],
                                  );
              }
          }

          I declare my idp in "hosted" and "remote"

          ======= saml20-idp-hosted.php
          $metadata['__DYNAMIC:1__'] = array(
          'host' => '__DEFAULT__',
          'privatekey' => 'server.pem',
          'certificate' => 'server.crt',
          'auth' => 'ezpublish-MyClient-IDP',
          'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', // default value
          );

          ======= saml20-idp-remote.php
          /*
           * MINIMAL 
           */
                          'metadata-set' => 'saml20-idp-remote',
                          'SingleSignOnService' =>
                          array (
                                          0 =>
                                          array (
                                                          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                                                          'Location' => 'http://simplesamlphp.MyClient.srv-devez01.MyCompany.fr/simplesaml/saml2/idp/SSOService.php',
                                          ),
                          ),
                          'certData' => '********************',
                          'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
          );

          Now I define my two SP

          ======= authsources.php
          $config = array(
          // ... 
              'elgg-MyClient-SP' => array(
                  'saml:SP',
              ),
                          
              'ezpublish-MyClient-SP' => array(
                  'saml:SP',
          For elgg I use the saml_login mod by Sixto Martin

          He asked me three parameters

          Path of the SimpleSAMLPHP environment : /var/www/sp/simplesamlphp 
          The SP auth source you want to connect to elgg : elgg-MyClient-SP
          The attribute whose value uniquely identifies a user object : uid

          Unfortunately, I did not find any interesting extension for eZ Publish
          Fortunately, I feel much better eZ Publish code than Elgg.

          I reproduced the saml_login features in eZ.

          ======= login.tpl
          <div id="login_with_saml">
          </div>

          ======= saml.php
          require_once '/var/www/html/sites/MyClient/simplesamlphp/lib/_autoload.php'; 
          $auth = new SimpleSAML_Auth_Simple('ezpublish-MyClient-SP');
          if ( ! $auth->isAuthenticated() ) {
              $auth->login();
              eZExecution::cleanExit();
          } else {
              $saml_attributes = $auth->getAttributes();
              $username = $saml_attributes['uid'][0];
              $currentUser = eZUser::fetchByName($username);
              $userID = $currentUser->attribute( 'contentobject_id' );
              eZUser::setCurrentlyLoggedInUser( $currentUser, $userID );
          }

          Despite the redirection does not work automatically, it works.
          Anyway this is not exactly what I want to do.

          In the current state, I have a unique identifier but not a unique identification. 
          If I visit my Elgg site he asked me to indentify me. 
          If I go on my eZ website then it me wanting more. 
          But when I make the simpleSAMLphp test identification sources I have all my information. 


          In EZ we used a SSOHandler to manage it.

          class eZMyClientSSOHandler 
          {
              /**
               * Return an object eZUser to log in eZ Publish.
          * If the authentication fails, return false
               * 
               * @return eZUser|false
               */
              public function handleSSOLogin()
              {
          require_once '/var/www/html/sites/MyClient/simplesamlphp/lib/_autoload.php';
                  $auth = new SimpleSAML_Auth_Simple('ezpublish-MyClient-SP');
                  $currentUser = false; // Valeur par defaut que l'on retourne si l'authentification echoue
              
                  // looking for existing session in simpleSAMLphp
                  // if yes looking for eZUser
                  // if user existe : connect it
                  // else ERROR !!
                  
                  if ( ! $auth->isAuthenticated() ) {
                      SLogger::d('not authenticated'); // Always passes by here. Even though I am logged in elgg.
                  } else {
                      SLogger::d('authenticated');
                      $saml_attributes = $this->auth->getAttributes();
                      $username = $saml_attributes['uid'][0];
                      $currentUser = eZUser::fetchByName($username);
                  }
                  return $currentUser;
              }
          }

          So much for the inventory.

          It remains for me to manage:
          - This problem of SSO
          - Disconnection,
          - The identification forms must be in the sites (instead of links)

          Rémy

          unread,
          Nov 28, 2013, 9:23:42 AM11/28/13
          to simple...@googlegroups.com
          Working on disconnection. I encountered the following problem:

          On click on logout, Elgg website call IDP to close the session.


          And this caused an error in simpleSAMLphp.

          Seeking a can, I realized that simpleSAMLphp did not recover the SAMLRequest parameter.

          This is due to suhosin which limits the length of the GET parameters values to 512 characters.

          <VirtualHost *:80>
          DocumentRoot /var/www/html/sites/MyClient/simplesamlphp/www/
          Alias /simplesaml /var/www/html/sites/MyClient/simplesamlphp/www/
          php_admin_value suhosin.get.max_value_length 1024
          <Directory "/var/www/html/sites/MyClient/simplesamlphp/www/">
          AllowOverride All
          </Directory>
          </VirtualHost>

          Maybe it will accommodate other :)

          Otherwise I continue to asymptotically approach my goal ...

          Rémy

          unread,
          Nov 29, 2013, 4:58:52 AM11/29/13
          to simple...@googlegroups.com
          The last step!

          I have almost all works :)
          My last little problem is that I would have the login form in the SP.

          Example with saml_login Mod Elgg:

          I have the Elgg native connection form. But it does not fit in the SSP process.

          I have to click on the "uniquid" button that redirects me to the login form simpleSAMLphp:


          (template in progress)

          Here I identify and I am redirected to elgg.

          I want my users to connect directly without going through an intermediate page. And most importantly, my users will not understand that the first form is not for them!

          Do I have to go through an iframe?
          A specific URL in my login form?

          I tested a lot of stuff but I can not find the solution.

          Thijs Kinkhorst

          unread,
          Dec 2, 2013, 5:39:50 AM12/2/13
          to simple...@googlegroups.com
          Op vrijdag 29 november 2013 10:58:52 schreef Rémy:
          > I want my users to connect directly without going through an intermediate
          > page. And most importantly, my users will not understand that the first
          > form is not for them!

          It seems to me that this form is generated by elgg. Therefore, you cannot
          solve this in simpleSAMLphp (because that part works as designed) but need to
          change something in elgg to not display a login form when it uses federated
          authentication.


          --
          Thijs Kinkhorst <th...@uvt.nl> – LIS Unix

          Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
          Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
          signature.asc
          Reply all
          Reply to author
          Forward
          0 new messages