Accept multiple issuers
39 views
Skip to first unread message
Francisco Almeida
Jan 22, 2018, 7:52:09 AM1/22/18
to SimpleSAMLphp
I was asked to implement a USE CASE, where I should be able to accept a SAML Response from a issuer that is different from the one I have sent the request ("AuthnRequest").
After some DEBUG, I end up in this exception:
----------------------------------------------
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: The issuer of the response does not match to the identity provider we sent the request to.
Backtrace:
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:97 (require)
0 /var/simplesamlphp/www/module.php:137 (N/A)
----------------------------------------------
As far as I've gone this checks the SAML2 protocol message exchange.
My questions are:
- Is this the USE CASE possible at all?
- If it is possible, how can I manage to configure this?
- If it is not possible, is this a protocol restriction? Where can i find this Protocol Rule?
Thanks for all the help in this issue.
Thks,
Francisco
Patrick Radtke
Jan 29, 2018, 6:35:36 PM1/29/18
to SimpleSAMLphp
Have you tried defining a IDPList array in your saml20-idp-remote.php file with the alternative entityIds for the IdP?
It looks like it would work based on what the code is doing, but I don't see it as a documented feature.
-Patrick
Bjorn Rohde Jensen
Jan 30, 2018, 9:04:07 AM1/30/18
to simple...@googlegroups.com
Hi there,
> Have you tried defining a IDPList array in your saml20-idp-remote.php file
> with the alternative entityIds for the IdP?
> It looks like it would work based on what the code is doing, but I don't
> see it as a documented feature.
>
> -Patrick
>
This does indeed work, and we have a couple of such setups. It is really
a workaround introduced by Jaime a couple of years back, because i
complained a lot over our most important use-case, where we employ
simplesamlphp basically as a proxy, being broken by a bit of tightening
up of the code.
I think, every release of simplesamlphp prior to 1.13 or so did in fact
not check, if the responder matched the target, and we had at that time
abused this neat little feature for years.
> On Monday, January 22, 2018 at 4:52:09 AM UTC-8, Francisco Almeida wrote:
>>
>> *I was asked to implement a USE CASE, where I should be able to accept a
Bjorn
> Have you tried defining a IDPList array in your saml20-idp-remote.php file
> with the alternative entityIds for the IdP?
> It looks like it would work based on what the code is doing, but I don't
> see it as a documented feature.
>
> -Patrick
>
a workaround introduced by Jaime a couple of years back, because i
complained a lot over our most important use-case, where we employ
simplesamlphp basically as a proxy, being broken by a bit of tightening
up of the code.
I think, every release of simplesamlphp prior to 1.13 or so did in fact
not check, if the responder matched the target, and we had at that time
abused this neat little feature for years.
> On Monday, January 22, 2018 at 4:52:09 AM UTC-8, Francisco Almeida wrote:
>>
>> SAML Response from a issuer that is different from the one I have sent the
>> request ("AuthnRequest").*
>>
>> After some DEBUG, I end up in this exception:
>> ----------------------------------------------
>>
>>>
>>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>>> Backtrace:
>>> 0 /var/simplesamlphp/www/module.php:180 (N/A)
>>> Caused by: SimpleSAML_Error_Exception: The issuer of the response does
>>> not match to the identity provider we sent the request to.
>>> Backtrace:
>>> 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:97 (require)
>>> 0 /var/simplesamlphp/www/module.php:137 (N/A)
>>
>> ----------------------------------------------
>>
>> As far as I've gone this checks the SAML2 protocol message exchange.
>>
>> *My questions are: *
>> After some DEBUG, I end up in this exception:
>> ----------------------------------------------
>>
>>>
>>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>>> Backtrace:
>>> 0 /var/simplesamlphp/www/module.php:180 (N/A)
>>> Caused by: SimpleSAML_Error_Exception: The issuer of the response does
>>> not match to the identity provider we sent the request to.
>>> Backtrace:
>>> 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:97 (require)
>>> 0 /var/simplesamlphp/www/module.php:137 (N/A)
>>
>> ----------------------------------------------
>>
>> As far as I've gone this checks the SAML2 protocol message exchange.
>>
>> - Is this the USE CASE possible at all?
>> - If it is possible, how can I manage to configure this?
>> - If it is not possible, is this a protocol restriction? Where can i find
>> this Protocol Rule?
>>
>> Thanks for all the help in this issue.
>>
>> Thks,
>> Francisco
>>
Yours sincerely,
>> - If it is possible, how can I manage to configure this?
>> - If it is not possible, is this a protocol restriction? Where can i find
>> this Protocol Rule?
>>
>> Thanks for all the help in this issue.
>>
>> Thks,
>> Francisco
>>
Bjorn
Francisco Almeida
Feb 6, 2018, 6:33:46 AM2/6/18
to SimpleSAMLphp
Hi Patrick,
Yes I have tried that option, but the only solution that worked for me was to add the 2 IdP metadata configuration in saml20-idp-remote.php and remove those validations.
Example (saml20-idp-remote.php):
$metadata['https://idp1_example.com'] = array (...);
$metadata['https://idp2_example.com'] = array (...);
In terms of documentation, I didn't find also any option for this approach.
In terms of what the code is doind, I will try to DEBUG a litle bit more to see If we can override this option. My doubt is if this is a SAML2 protocol restriction.
Regards,
FranciscoFrancisco Almeida
Feb 6, 2018, 6:36:39 AM2/6/18
to SimpleSAMLphp
Hi Bjorn,
Thanks for your help.
When you say that this works, what approach have you followed to configure this?
Regards,
Francisco
Bjorn Rohde Jensen
Feb 6, 2018, 9:32:37 AM2/6/18
to simple...@googlegroups.com
Hi guys,
https://groups.google.com/forum/?_escaped_fragment_=topic/simplesamlphp/3xKJyCZp028#!topic/simplesamlphp/3xKJyCZp028
> Hi Patrick,
>
> Yes I have tried that option, but the only solution that worked for me was
> to add the 2 IdP metadata configuration in saml20-idp-remote.php and remove
> those validations.
I went and checked the archives, and this check was added in 1.11;
"to verify if the issuer of a SAML response is the same IdP we sent the
AuthnRequest to"
I had a bit of a correspondence with Jaime about it in this thread;
https://groups.google.com/forum/?_escaped_fragment_=topic/simplesamlphp/3xKJyCZp028#!topic/simplesamlphp/3xKJyCZp028
In it you will find the discussion of problem and work-around as well as
a description of how to configure the work-around.
Seems we have actually had this setup running in production without
problems for nearly 5 years without any patching of simplesamlphp.
> Example (saml20-idp-remote.php):
> $metadata['https://idp1_example.com'] = array (...);
> $metadata['https://idp2_example.com'] = array (...);
>
> In terms of documentation, I didn't find also any option for this approach.
>
> In terms of what the code is doind, I will try to DEBUG a litle bit more to
> see If we can override this option. My doubt is if this is a SAML2 protocol
> restriction.
>
> Regards,
> Francisco
>
> On Monday, 29 January 2018 23:35:36 UTC, Patrick Radtke wrote:
>>
>> Have you tried defining a IDPList array in your saml20-idp-remote.php file
>> with the alternative entityIds for the IdP?
>> It looks like it would work based on what the code is doing, but I don't
>> see it as a documented feature.
>>
>> -Patrick
>>
>> On Monday, January 22, 2018 at 4:52:09 AM UTC-8, Francisco Almeida wrote:
>>>
>>> *I was asked to implement a USE CASE, where I should be able to accept a
Bjorn
https://groups.google.com/forum/?_escaped_fragment_=topic/simplesamlphp/3xKJyCZp028#!topic/simplesamlphp/3xKJyCZp028
> Hi Patrick,
>
> Yes I have tried that option, but the only solution that worked for me was
> to add the 2 IdP metadata configuration in saml20-idp-remote.php and remove
> those validations.
"to verify if the issuer of a SAML response is the same IdP we sent the
AuthnRequest to"
I had a bit of a correspondence with Jaime about it in this thread;
https://groups.google.com/forum/?_escaped_fragment_=topic/simplesamlphp/3xKJyCZp028#!topic/simplesamlphp/3xKJyCZp028
In it you will find the discussion of problem and work-around as well as
a description of how to configure the work-around.
Seems we have actually had this setup running in production without
problems for nearly 5 years without any patching of simplesamlphp.
> Example (saml20-idp-remote.php):
> $metadata['https://idp1_example.com'] = array (...);
> $metadata['https://idp2_example.com'] = array (...);
>
> In terms of documentation, I didn't find also any option for this approach.
>
> In terms of what the code is doind, I will try to DEBUG a litle bit more to
> see If we can override this option. My doubt is if this is a SAML2 protocol
> restriction.
>
> Regards,
> Francisco
>
> On Monday, 29 January 2018 23:35:36 UTC, Patrick Radtke wrote:
>>
>> Have you tried defining a IDPList array in your saml20-idp-remote.php file
>> with the alternative entityIds for the IdP?
>> It looks like it would work based on what the code is doing, but I don't
>> see it as a documented feature.
>>
>> -Patrick
>>
>> On Monday, January 22, 2018 at 4:52:09 AM UTC-8, Francisco Almeida wrote:
>>>
>>> SAML Response from a issuer that is different from the one I have sent the
>>> request ("AuthnRequest").*
>>>
>>> After some DEBUG, I end up in this exception:
>>> ----------------------------------------------
>>>
>>>>
>>>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>>>> Backtrace:
>>>> 0 /var/simplesamlphp/www/module.php:180 (N/A)
>>>> Caused by: SimpleSAML_Error_Exception: The issuer of the response does
>>>> not match to the identity provider we sent the request to.
>>>> Backtrace:
>>>> 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:97 (require)
>>>> 0 /var/simplesamlphp/www/module.php:137 (N/A)
>>>
>>> ----------------------------------------------
>>>
>>> As far as I've gone this checks the SAML2 protocol message exchange.
>>>
>>> *My questions are: *
>>> After some DEBUG, I end up in this exception:
>>> ----------------------------------------------
>>>
>>>>
>>>> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>>>> Backtrace:
>>>> 0 /var/simplesamlphp/www/module.php:180 (N/A)
>>>> Caused by: SimpleSAML_Error_Exception: The issuer of the response does
>>>> not match to the identity provider we sent the request to.
>>>> Backtrace:
>>>> 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:97 (require)
>>>> 0 /var/simplesamlphp/www/module.php:137 (N/A)
>>>
>>> ----------------------------------------------
>>>
>>> As far as I've gone this checks the SAML2 protocol message exchange.
>>>
>>> - Is this the USE CASE possible at all?
>>> - If it is possible, how can I manage to configure this?
>>> - If it is not possible, is this a protocol restriction? Where can i find
>>> this Protocol Rule?
>>>
>>> Thanks for all the help in this issue.
>>>
>>> Thks,
>>> Francisco
>>>
>>
>
Yours sincerely,
>>> - If it is possible, how can I manage to configure this?
>>> - If it is not possible, is this a protocol restriction? Where can i find
>>> this Protocol Rule?
>>>
>>> Thanks for all the help in this issue.
>>>
>>> Thks,
>>> Francisco
>>>
>>
>
Bjorn
Reply all
Reply to author
Forward
0 new messages