IDP First-flow query....
Chetan Jain
* Can be '__DEFAULT__', to use this entry by default.
'host' => '__DEFAULT__',
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
'privatekey_pass' => '123456',
'auth' => 'Radius',
'authority' => 'login'
'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
100 => array('class' => 'core:AttributeMap', 'name2oid'),
'AssertionConsumerService' => 'https://pm.sp.com/saml2/SAMLAssertionConsumer?company=clientTest',
'SingleLogoutService' => 'https://pm.sp.com/saml2/LogoutServiceHTTPRedirectResponse?company=clientTest',
'RelayState' => 'https://pm.sp.com/xi/ui/home/pages/home.xhtml',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:uri',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);
'radius:Radius',
'RelayState' => 'https://pm.sp.com/xi/ui/home/pages/home.xhtml',
'hostname' => 'radius.client.com',
'port' => 1645,
'secret' => '123456',
'timeout' => 5,
'retries' => 3,
'username_attribute' => 'eduPersonPrincipalName',
Peter Schober
> So when i put the url in my browser "
> http://saml.client.com/simplesaml/saml2/idp/SSOService.php?spentityid=sp.com ",
> I get the login page and I successfully get logged in and then rather than
> getting my homepage on the Service Provider side, I get their login page...
> When i spoke to them they said they are not getting the RelayState...
In the RelayState an SP may keep state about which resource a user
agent accessed (or tried to access) before sending them off to an IdP
(or discovery service). So RelayState is set by the SP and only means
something to the SP. How could the IdP then send a RelayState
parameter in an IdP-first flow?
-peter
Chetan Jain
-peter
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Peter Schober
> Thanks for your reply, Then how do I achieve this
>
> "Service provider has currently implemented IdP-initiated Web Browser SSO
> Profile (HTTP POST Binding) and the SP-initiated Global Logout (HTTP
> Redirect Binding)" .
What is this "this", you want to achieve?
There is no RelayState (i.e., the user agent has no state at the
Service Provider) when you start at the IdP (i.e., IdP-initiated).
The SP decides where to route users to, after processing the SAML
assertion from the IdP.
-peter
Chetan Jain
-peter
Olav Morken
> Hi,
>
> We have applied for a Online HR software with a firm... We donot want their
> systems to access our user/pass database or share with them. So we had
> asked them if they do SSO with SAML as we're already using it with Google
> Apps... For this they have to say that they currently implement a
> IdP-Initiated Web Browser SSO Profile ( HTTP Post Binding ) which is
> different from what Google does... They do support SAML2.0.
>
> I need some help from the list as i'm a Network Guy and not a programmer...
> From the site i could figure out that i could do IdP First-flow to achieve
> this ( IdP initiated SSO)...
>
> I had emailed the list of files which i had configured the settings for IdP
> initiated SSO, I didn't knew that RelayState has to be configure on the SP
> side neither i know if i have to configure saml20-sp-hosted.php...
The RelayState option that you can configure in a simpleSAMLphp SP is
only present as a default URL to use when the IdP does not include a
RelayState option in its response. But it is not relevant for your
case, since you are running an IdP.
> Can someone put some light on how to achieve this...
For information about how to to trigger IdP initiated SSO (with a
specific RelayState), see the documentation:
http://simplesamlphp.org/docs/1.8/simplesamlphp-idp-more#section_4
Best regards,
Olav Morken
UNINETT / Feide
Chetan Jain
'AssertionConsumerService' => 'https://pf.sf.com/saml2/SAMLAssertionConsumer?company=clientTest',
'SingleLogoutService' => 'https://pf.sf.com/saml2/LogoutServiceHTTPRedirectResponse?company=clientTest',
'RelayState' => 'https://pf.sf.com/xi/ui/home/pages/home.xhtml',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:uid',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
);
Chetan Jain
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
Olav Morken
> Hi,
>
> under authsources.php and specifying the same in saml20-sp-remote.php as
>
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:uid',
I do not think this is a real format for a NameID? You should probably
set it to "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", to
match the example they have provided.
> 'simplesaml.nameidattribute' => 'uid',
> 'simplesaml.attributes' => FALSE,
> Will this pass the username correctly to successfactors???
It should, if "uid" is available at that point. I suggest that you take
a look at the response your IdP sends. You can do that by setting
'logging.level' to LOG_DEBUG, and enabling the 'debug' option in
config.php. That should ensure that the complete response sent to the SP
is logged in the log files.
Chetan Jain
Feb 3 07:11:15 saml simplesamlphp[2665]: 6 [6bf0bcc38b] SAML2.0 - IdP.SSOService: IdP initiated authentication: 'successfactors.com'
Feb 3 07:11:37 saml simplesamlphp[14657]: 5 STAT [6bf0bcc38b] saml20-idp-SSO-first successfactors.com http://saml.client.com/simplesaml/saml2/idp/metadata.php NA
Feb 3 07:11:37 saml simplesamlphp[14657]: 5 STAT [6bf0bcc38b] saml20-idp-SSO successfactors.com http://saml.client.com/simplesaml/saml2/idp/metadata.php NA
Feb 3 07:11:37 saml simplesamlphp[14657]: 6 [6bf0bcc38b] Sending SAML 2.0 Response to 'successfactors.com'
Olav Morken
> Hi,
>
> no change...
Did you also adjust the log level?
> Feb 3 07:11:15 saml simplesamlphp[2665]: 6 [6bf0bcc38b] SAML2.0 -
> IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
> Feb 3 07:11:15 saml simplesamlphp[2665]: 6 [6bf0bcc38b] SAML2.0 -
> IdP.SSOService: IdP initiated authentication: 'successfactors.com'
> Feb 3 07:11:37 saml simplesamlphp[14657]: 5 STAT [6bf0bcc38b]
> saml20-idp-SSO-first successfactors.com
> http://saml.client.com/simplesaml/saml2/idp/metadata.php NA
> Feb 3 07:11:37 saml simplesamlphp[14657]: 5 STAT [6bf0bcc38b]
> saml20-idp-SSO successfactors.com
> http://saml.client.com/simplesaml/saml2/idp/metadata.php NA
> Feb 3 07:11:37 saml simplesamlphp[14657]: 6 [6bf0bcc38b] Sending SAML 2.0
> Response to 'successfactors.com'
>
> Also how do set the Relay State paramater in the Idp First-flow... what is
> urn and someservice mentioned in this example mean.
>
>
> https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=urn:mace:feide.no:someservice&RelayState=https://sp.example.org/somepage
>
>
>
> My url would look like this...
>
> https://saml.client.com/simplesaml/saml2/idp/SSOService.php?spentityid=urn:successfactors.com:someservice&RelayState=https://succesfactors.com/login
The "spentityid" parameter specifies the SP entityID. This appears to
be "successfactors.com" for you, based on the log you pasted.
The value of the RelayState depends on what your SP expects. It _may_
be an URL, but it can also be something else, or nothing at all. It is
up to the SP software to decide what value it wants to be passed in the
RelayState parameter.
Chetan Jain
Chetan Jain
Olav Morken
> Yes,
>
>
> 'debug' => TRUE,
> 'logging.level' => LOG_DEBUG,
Maybe your syslog configuration is set up to store debug information in
a different file or to not log it at all?
Olav Morken
> I changed the syslog config and have the debug... I see that the username
> "samluser" has been sent in the response to SP... If you can have a look at
> the debug...
As you have seen, the username is sent as the name identifier in the
response. It appears to be a valid SAML 2.0 response. There isn't really
very much else to say about it.
If your SP has specific requirements for the response, you should check
it against those requirements.
Chetan Jain
:19:04 saml simplesamlphp[2665]: 6 [ab4d77ad3f] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Backtrace:
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Backtrace:
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 1 /var/www/html/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 1 /var/www/html/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 0 [builtin] (N/A)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 0 [builtin] (N/A)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Caused by: Exception: Unable to find the current binding.
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Caused by: Exception: Unable to find the current binding.
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Backtrace:
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Backtrace:
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 2 /var/www/html/simplesamlphp/lib/SAML2/Binding.php:79 (SAML2_Binding::getCurrentBinding)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 2 /var/www/html/simplesamlphp/lib/SAML2/Binding.php:79 (SAML2_Binding::getCurrentBinding)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 1 /var/www/html/simplesamlphp/modules/saml/lib/IdP/SAML2.php:265 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 1 /var/www/html/simplesamlphp/modules/saml/lib/IdP/SAML2.php:265 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 0 /var/www/html/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] 0 /var/www/html/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Error report with id 76efaac7 generated.
:19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Error report with id 76efaac7 generated.
Olav Morken
> Hi Olav,
>
> I seems successfactors are now getting the saml response. Now we're not
> even getting the successfactors login page, but some simplesaml error..
> This is what i see after the saml response sent to successfactors in the
> /var/log/messages...
> Also, I have sent them the issuer as
> http://saml.client.com/simplesaml/saml2/idp/metadata.php is this correct?.
It depends on your configuration. It is correct in the default
configuration.
> :19:04 saml simplesamlphp[2665]: 6 [ab4d77ad3f] SAML2.0 - IdP.SSOService:
> Accessing SAML 2.0 IdP endpoint SSOService
> :19:04 saml simplesamlphp[2665]: 6 [ab4d77ad3f] SAML2.0 - IdP.SSOService:
> Accessing SAML 2.0 IdP endpoint SSOService
You appear to have something strange in your configuration, since
everything is logged twice.
[...]
> :19:04 saml simplesamlphp[2665]: 3 [ab4d77ad3f] Caused by: Exception:
> Unable to find the current binding.
The IdP was unable to determine the "binding" used when accessing the
SSOService endpoint. Probably a missing query parameter or something
like that.
Chetan Jain
<?php
'privatekey' => 'SFactorsidp.key',
'certificate' => 'SFactoridp.crt',
'privatekey_pass' => '123456',
'auth' => 'Radius',
<?php
'AssertionConsumerService' => 'https://pm.sfcom/saml2/SAMLAssertionConsumer?company=clientTest',
'SingleLogoutService' => 'https://pm.sf.com/saml2/LogoutServiceHTTPRedirectResponse?company=clientTest',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => FALSE,
'radius:Radius',
'secret' => 'secret',
'username_attribute' => 'uid',
),
'certdir' => 'cert/',
'loggingdir' => 'log/',
'datadir' => 'data/',
'debug' => TRUE,
'admin.protectindexpage' => FALSE,
'admin.protectmetadata' => FALSE,
'technicalcontact_email' => 'ad...@client.com',
'logging.handler' => 'syslog',
'enable.saml20-idp' => true,
'enable.shib13-idp' => false,
'enable.adfs-idp' => false,
'enable.wsfed-sp' => false,
'enable.authmemcookie' => false,
'session.phpsession.savepath' => null,
'session.phpsession.httponly' => FALSE,
'default-wsfed-idp' => 'urn:federation:pingfederate:localhost',
'idpdisco.rememberchecked' => TRUE,
'idpdisco.validate' => TRUE,
10 => array(
'class' => 'core:AttributeMap', 'addurnprefix'
20 => 'core:TargetedID',
30 => 'core:LanguageAdaptor',
45 => array(
'class' => 'core:StatisticsWithAttribute',
'attributename' => 'realm',
'type' => 'saml20-idp-SSO',
),
'class' => 'core:AttributeAlter',
'pattern' => '/OU=studerende/',
'replacement' => 'Student',
'subject' => 'distinguishedName',
'%replace',
),
'class' => 'consent:Consent',
'store' => 'consent:Cookie',
'focus' => 'yes',
'checked' => TRUE
),
// If language is set in Consent module it will be added as an attribute.
99 => 'core:LanguageAdaptor',
),
'authproc.sp' => array(
10 => array(
'class' => 'core:AttributeMap', 'removeurnprefix'
),
// All users will be members of 'users' and 'members'
61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')),
90 => 'core:LanguageAdaptor',
'metadata.sources' => array(
array('type' => 'flatfile'),
),
'store.sql.password' => NULL,
array(
array('hostname' => 'localhost'),
),
),
'metadata.sign.privatekey_pass' => NULL,
'metadata.sign.certificate' => NULL,
Olav Morken
> This is the configuration i changed in default install...
>
>
> *
> *<?php
> $metadata['__DYNAMIC:1__'] = array(
> 'host' => '__DEFAULT__',
> 'privatekey' => 'SFactorsidp.key',
> 'certificate' => 'SFactoridp.crt',
> 'privatekey_pass' => '123456',
> 'auth' => 'Radius',
> 'RelayState' => 'https://pm.sf.com/xi/ui/home/pages/home.xhtml',
This parameter is ignored for saml20-idp-hosted.
> 'authority' => 'login'
This one isn't used for IdPs configured with config/authsources.php.
> Do you see any issues with the configuration...
I'm not about to read through your entire configuration without
looking for a specific error :)
Are you experiencing any specific errors?
Chetan Jain
Olav Morken
> Hi Olav,
>
As in "SAML 2.0 binding", the method that is used to transport SAML 2.0
messages over various channels. See:
http://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf
> Missing query parameter??
I should maybe have said "request parameter" here, as it is more
generic than "query parameter". The code that determines the current
binding looks at the request method and the request parameters to make
an educated guess as to which SAML 2.0 binding was used to send the
message.
(To support IdP initiated SSO, the SSOService endpoint also looks for a
"spentityid" parameter as an alternative. That is not standardized, and
isn't a part of the normal SAML 2.0 bindings.)
> Any help... Is it at the Service
> Provider side or on Idp side...
That depends :)
For some reason your web browser ends up sending a request to the
SingleSignOnService endpoint that simpleSAMLphp is unable to determine
what to do about. The question is why the web browser ends up doing
that.
> I didn't change any configuration on my side, earlier i used to get the
> successfactors login page but now after the POST
After which POST? The login form? The HTTP-POST binding used to send
authentication responses from the IdP to the SP? Some other POST?
>, I get this error and not
> redirecting to the successfactors page...
I suggest you look at the requests your browser make, and try to
determine what page is sending you to the SingleSignOnService endpoint,
and why that page makes that decision. If you are using Firefox, you
may want to test the SAML tracer add-on:
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
This is an add-on that we developed that also decodes SAML 2.0 messages
sent through the browser.
Chetan Jain
> I didn't change any configuration on my side, earlier i used to get the
> successfactors login page but now after the POST
After which POST? The login form? The HTTP-POST binding used to send
authentication responses from the IdP to the SP? Some other POST?
POST http://saml.client.com/simplesaml/module.php/core/loginuserpass.php? HTTP/1.1
( Referer: http://saml.client.com/simplesaml/module.php/core/loginuserpass.php?AuthState=_2448c08a68f2d0e45c81441eeb3f73f57c137167f6%3Ahttp%3A%2F%2Fsaml.client.com%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dwww.successfactors.com%26cookieTime%3D1328930369
POST https://performancemanager4.successfactors.com/saml2/SAMLAssertionConsumer?company=clientTest HTTP/1.1
( Referer: http://saml.client.com/simplesaml/module.php/core/loginuserpass.php? )
GET http://saml.client.com/simplesaml/saml2/idp/SSOService.php HTTP/1.1( Referer: http://saml.client.com/simplesaml/module.php/core/loginuserpass.php? )--- Also, I see one of their requirement isThey currently require the AttributeStatement <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml:Attribute Name="password"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string"> lhadley</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>How to specify this in sp-remote.php------------------------------------------------Settings provided by Successfactors :-------------------------------------------------SuccessFactors Entity ID
https://www.successfactors.com <https://www.successfactors.com>
SuccessFactors Certificate for Optional Encryption of Assertion. Sent as separate attachment SFAdmin.txt
Consumer Service URL
https://performancemanager4.successfactors.com/saml2/SAMLAssertionConsumer?company=clientTest
Optional Global Logout Response Handler URL
https://performancemanager4.successfactors.com/saml2/LogoutServiceHTTPRedirectResponse?company=clientTest
RelayState
monitor is configured for Ultra
https://performancemanager4.successfactors.com/xi/ui/home/pages/home.xhtml
Chetan Jain.Chetan Jain
Olav Morken
> Hi,
>
>
> > I didn't change any configuration on my side, earlier i used to get the
> > successfactors login page but now after the POST
>
> After which POST? The login form? The HTTP-POST binding used to send
> authentication responses from the IdP to the SP? Some other POST?
> The HTTP Post from IdP to SP.... Here's the output from samltracer...
[...]
> *POST https://performancemanager4.successfactors.com/saml2/SAMLAssertionConsumer?company=clientTest
> HTTP/1.1*
[...]
> *GET http://saml.client.com/simplesaml/saml2/idp/SSOService.php HTTP/1.1*
So, the SP redirects back to the IdP after receiving an authentication
response. You need to find out why it does that, as that is not part of
the normal IdP-initiated authentication flow.
> *--- Also, I see one of their requirement is *
>
>
> They currently
> require the AttributeStatement
> <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
> xmlns:xs="http://www.w3.org/2001/XMLSchema">
>
> <saml:Attribute
> Name="password"
Hmmm.. The SP required to receive the user's password as an attribute?
Not supported directly by simpleSAMLphp. Depending on the
authentication source you are using, you may be able to add it to the
attributes that are sent, but it looks rather strange to me.
Chetan Jain
Olav Morken
> Hi,
>
>
> [dc4vmsol06a/10.4.36.82][companyId:clientTest][issuer:
> http://saml.client.com/simplesaml/saml2/idp/metadata.php] The replayState
> '' [ ] is invalid. It must start with '/' or be a valid URL and from a safe
> domain
>
> So, do i have to configure the instance at our end with SP support and
> provide the Relaystate parameter or just include it in the browser link..
Including it in the link is the normal way to do it when you are using
IdP initiated authentication.