SimpleSAMLPHP as an IDP with LDAP integration
2,324 views
Skip to first unread message
Ganesh venu
Jul 29, 2016, 12:14:11 PM7/29/16
to SimpleSAMLphp
Hi Team,
I would like to use SimpleSAMLPHP as an IDP with LDAP integration for SSO. I am uncertain like what are the steps involved in this process, what needs to be done for SSO integration with LDAP using SimpleSAMLPHP as an IDP.
Can you please help me out the steps that I need to follow to configure it as well as what needs to be done in PHP side.
Right now I am following this URL: https://www.small-improvements.com/documentation/simplesamlphp
Thanks in advance.
Ganesh Venugopal.
I would like to use SimpleSAMLPHP as an IDP with LDAP integration for SSO. I am uncertain like what are the steps involved in this process, what needs to be done for SSO integration with LDAP using SimpleSAMLPHP as an IDP.
Can you please help me out the steps that I need to follow to configure it as well as what needs to be done in PHP side.
Right now I am following this URL: https://www.small-improvements.com/documentation/simplesamlphp
Thanks in advance.
Ganesh Venugopal.
Peter Schober
Jul 29, 2016, 12:53:24 PM7/29/16
to SimpleSAMLphp
* Ganesh venu <vgane...@gmail.com> [2016-07-29 18:14]:
> I would like to use *SimpleSAMLPHP as an IDP with LDAP integration for SSO.
documentation if you intend to get support from this forum.
(Alternatively you can try sending support requests for the
documentation above to the people who created it).
First install the software:
https://simplesamlphp.org/docs/stable/simplesamlphp-install
Then configure as SAML IDP:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp
Here's the documentation for LDAP integration:
https://simplesamlphp.org/docs/stable/ldap:ldap
Follow all the steps in all the above URLs, if you can't complete a
step successfully come back here with concrete questions.
-peter
> I would like to use *SimpleSAMLPHP as an IDP with LDAP integration for SSO.
> I am uncertain like what are the steps involved in this process, what
> needs to be done for SSO integration with LDAP using SimpleSAMLPHP as an
> IDP.
>
> Can you please help me out the steps that I need to follow to configure it
> as well as what needs to be done in PHP side.
>
> Right now I am following this URL:
> https://www.small-improvements.com/documentation/simplesamlphp
Probably not surprising we'd suggest using the SimpleSAMLphp
> needs to be done for SSO integration with LDAP using SimpleSAMLPHP as an
> IDP.
>
> Can you please help me out the steps that I need to follow to configure it
> as well as what needs to be done in PHP side.
>
> Right now I am following this URL:
> https://www.small-improvements.com/documentation/simplesamlphp
documentation if you intend to get support from this forum.
(Alternatively you can try sending support requests for the
documentation above to the people who created it).
First install the software:
https://simplesamlphp.org/docs/stable/simplesamlphp-install
Then configure as SAML IDP:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp
Here's the documentation for LDAP integration:
https://simplesamlphp.org/docs/stable/ldap:ldap
Follow all the steps in all the above URLs, if you can't complete a
step successfully come back here with concrete questions.
-peter
Ganesh venu
Aug 1, 2016, 9:05:53 AM8/1/16
to simple...@googlegroups.com
Hi Peter,
Thanks for the reply.My request is: I need IDP initiated SSO to connect Service provider.
Now how do I test the configuration to make sure thinks are fine and how do I create SAML request to initiate SSO to connect Service provider?
'example-ldap' => array(
'ldap:LDAP',
// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
//'remember.username.enabled' => FALSE,
//'remember.username.checked' => FALSE,
// The hostname of the LDAP server.
'hostname' => 'xxxx://xxxx-xx.xx.xxxx',
// Whether SSL/TLS should be used when contacting the LDAP server.
'enable_tls' => FALSE,
// Whether debug output from the LDAP library should be enabled.
// Default is FALSE.
'debug' => FALSE,
// The timeout for accessing the LDAP server, in seconds.
// The default is 0, which means no timeout.
'timeout' => 0,
// The port used when accessing the LDAP server.
// The default is 389.
'port' => 636,
// Set whether to follow referrals. AD Controllers may require FALSE to function.
'referrals' => TRUE,
// Which attributes should be retrieved from the LDAP server.
// This can be an array of attribute names, or NULL, in which case
// all attributes are fetched.
'attributes' => NULL,
// The pattern which should be used to create the users DN given the username.
// %username% in this pattern will be replaced with the users username.
//
// This option is not used if the search.enable option is set to TRUE.
'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
// As an alternative to specifying a pattern for the users DN, it is possible to
// search for the username in a set of attributes. This is enabled by this option.
'search.enable' => FALSE,
// The DN which will be used as a base for the search.
// This can be a single string, in which case only that DN is searched, or an
// array of strings, in which case they will be searched in the order given.
'search.base' => 'xxx,xxxx',
// The attribute(s) the username should match against.
//
// This is an array with one or more attribute names. Any of the attributes in
// the array may match the value the username.
'search.attributes' => array('uid', 'mail'),
// The username & password the SimpleSAMLphp should bind to before searching. If
// this is left as NULL, no bind will be performed before searching.
'search.username' => 'xxxxx,xxx,xx,xxx,xxx',
'search.password' => 'xxxx',
// If the directory uses privilege separation,
// the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required
// to get them. This is enabled with this option.
'priv.read' => FALSE,
// The DN & password the SimpleSAMLphp should bind to before
// retrieving attributes. These options are required if
// 'priv.read' is set to TRUE.
'priv.username' => NULL,
'priv.password' => NULL,
),
--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/BpZGKfLpsIQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
--
Thanks & Regards,
Ganesh Venugopal.
Ganesh Venugopal.
Ganesh venu
Aug 1, 2016, 9:07:04 AM8/1/16
to SimpleSAMLphp, peter....@univie.ac.at
Jaime Perez Crespo
Aug 1, 2016, 9:15:28 AM8/1/16
to simple...@googlegroups.com
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_11
On 01 Aug 2016, at 15:05 PM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Peter,
>
> Thanks for the reply.
>
> My request is: I need IDP initiated SSO to connect Service provider.
>
> So I have installed SimpleSAMLPHP and tried to configure LDAP. Please find my configuration below.
>
> Now how do I test the configuration to make sure thinks are fine and how do I create SAML request to initiate SSO to connect Service provider?
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 01 Aug 2016, at 15:05 PM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Peter,
>
> Thanks for the reply.
>
> My request is: I need IDP initiated SSO to connect Service provider.
>
> So I have installed SimpleSAMLPHP and tried to configure LDAP. Please find my configuration below.
>
> Now how do I test the configuration to make sure thinks are fine and how do I create SAML request to initiate SSO to connect Service provider?
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Ganesh venu
Aug 1, 2016, 10:04:37 AM8/1/16
to SimpleSAMLphp
Hi Jaime,
Thanks for posting the URL, I have already gone through this URL but I could not get what I want.
I have a sample URL, can you please let me know what are the inputs that we need to supply in this query string?
URL: https://test.site.com/simplesamlphp-1/www/saml2/idp/SSOService.php?providerId=urn:oasis:names:tc:SAML:2.0:attrname-format:uri&shire=https://xxx.xxxxxx.com/&target=https://xxx.xxxxxx.com/EasyConnect/ACS/Post.aspx
Can you please let me know what are the inputs I have supply for the below parameters?
1. providerID=
2. shire=
3. target=
Thanks for posting the URL, I have already gone through this URL but I could not get what I want.
I have a sample URL, can you please let me know what are the inputs that we need to supply in this query string?
URL: https://test.site.com/simplesamlphp-1/www/saml2/idp/SSOService.php?providerId=urn:oasis:names:tc:SAML:2.0:attrname-format:uri&shire=https://xxx.xxxxxx.com/&target=https://xxx.xxxxxx.com/EasyConnect/ACS/Post.aspx
Can you please let me know what are the inputs I have supply for the below parameters?
1. providerID=
2. shire=
3. target=
Jaime Perez Crespo
Aug 1, 2016, 10:21:31 AM8/1/16
to simple...@googlegroups.com
Hi,
On 01 Aug 2016, at 16:04 PM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Jaime,
>
> Thanks for posting the URL, I have already gone through this URL but I could not get what I want.
No, according to the example you are posting, you haven’t. You probably followed this:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp-more#section_4
Which is not the link I posted.
In any case, you are following the SAML 1.1 standard, which is quite nonsense now that SAML 2.0 has been around for more than ten years. Read the documentation I pointed to:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_11
The only thing you need, strictly, is the entity ID of the service provider, as the value of the “spentityid” parameter. You can also add a RelayState with the location where you want the user to be redirected after authentication, in case you agreed on that with the SP.
> I have a sample URL, can you please let me know what are the inputs that we need to supply in this query string?
>
> URL: https://test.site.com/simplesamlphp-1/www/saml2/idp/SSOService.php?providerId=urn:oasis:names:tc:SAML:2.0:attrname-format:uri&shire=https://xxx.xxxxxx.com/&target=https://xxx.xxxxxx.com/EasyConnect/ACS/Post.aspx
Where did you got that value for the “providerId”? That’s a URN identifying one attribute format, not an entity ID. The documentation you were following is pretty clear about that:
> providerID
> The entityID of the SP. This parameter is required.
Regarding “shire” and “target”, you have them switched. Again, the documentation you were presumably following, says:
> shire
> The AssertionConsumerService endpoint of the SP. This parameter is required.
I would assume the URL you have in “target” is the AssertionConsumerService endpoint of the SP, specially given that it has the string “ACS” on it. I would also assume you got that either from the metadata of the SP, or because the SP told you to use that as the AssertionConsumerService.
> Can you please let me know what are the inputs I have supply for the below parameters?
> 1. providerID=
> 2. shire=
> 3. target=
Nothing. Forget about SAML 1.1 and use 2.0. Follow the link I provided, or the first part of the documentation you are reading, that’s not regarding SAML 1.1. It doesn’t really matter.
On 01 Aug 2016, at 16:04 PM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Jaime,
>
> Thanks for posting the URL, I have already gone through this URL but I could not get what I want.
https://simplesamlphp.org/docs/stable/simplesamlphp-idp-more#section_4
Which is not the link I posted.
In any case, you are following the SAML 1.1 standard, which is quite nonsense now that SAML 2.0 has been around for more than ten years. Read the documentation I pointed to:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_11
The only thing you need, strictly, is the entity ID of the service provider, as the value of the “spentityid” parameter. You can also add a RelayState with the location where you want the user to be redirected after authentication, in case you agreed on that with the SP.
> I have a sample URL, can you please let me know what are the inputs that we need to supply in this query string?
>
> URL: https://test.site.com/simplesamlphp-1/www/saml2/idp/SSOService.php?providerId=urn:oasis:names:tc:SAML:2.0:attrname-format:uri&shire=https://xxx.xxxxxx.com/&target=https://xxx.xxxxxx.com/EasyConnect/ACS/Post.aspx
> providerID
> The entityID of the SP. This parameter is required.
Regarding “shire” and “target”, you have them switched. Again, the documentation you were presumably following, says:
> shire
> The AssertionConsumerService endpoint of the SP. This parameter is required.
I would assume the URL you have in “target” is the AssertionConsumerService endpoint of the SP, specially given that it has the string “ACS” on it. I would also assume you got that either from the metadata of the SP, or because the SP told you to use that as the AssertionConsumerService.
> Can you please let me know what are the inputs I have supply for the below parameters?
> 1. providerID=
> 2. shire=
> 3. target=
Ganesh venu
Aug 2, 2016, 3:00:16 AM8/2/16
to SimpleSAMLphp
Hi Jaime,
Thanks for pointing out where I am going wrong, I have used the latest 2.0 documentation you have provided and I am trying to set the configuration part where I got a confusion. Kindly clarify it.
Scenario:
a. From my Drupal website, I need to do IDP initiated SSO integration to Service provider - I am trying to edit the configurations in the below files
1. simplesamlphp-1\config\config.php = 'enable.saml20-idp => true', 'auth.adminpassword=>xxxxxx'.
2. simplesamlphp-1\config\authsources.php
Thanks for pointing out where I am going wrong, I have used the latest 2.0 documentation you have provided and I am trying to set the configuration part where I got a confusion. Kindly clarify it.
Scenario:
a. From my Drupal website, I need to do IDP initiated SSO integration to Service provider - I am trying to edit the configurations in the below files
1. simplesamlphp-1\config\config.php = 'enable.saml20-idp => true', 'auth.adminpassword=>xxxxxx'.
2. simplesamlphp-1\config\authsources.php
'example-ldap' => array(
'ldap:LDAP',
// Give the user an option to save their username for future login attempts
// And when enabled, what should the default be, to save the username or not
//'remember.username.enabled' => FALSE,
//'remember.username.checked' => FALSE,
// The hostname of the LDAP server.
'hostname' => 'xxxxxxxxxxxxxxxxxxx',
'search.base' => 'xxxxxxxxx',
// The attribute(s) the username should match against.
//
// This is an array with one or more attribute names. Any of the attributes in
// the array may match the value the username.
'search.attributes' => array('uid', 'mail'),
// The username & password the SimpleSAMLphp should bind to before searching. If
// this is left as NULL, no bind will be performed before searching.
'search.username' => 'xxxxxxxxxxxxxxx',
'search.password' => 'xxxxxxxx',
'search.password' => 'xxxxxxxx',
// If the directory uses privilege separation,
// the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required
// to get them. This is enabled with this option.
'priv.read' => FALSE,
// The DN & password the SimpleSAMLphp should bind to before
// retrieving attributes. These options are required if
// 'priv.read' is set to TRUE.
'priv.username' => NULL,
'priv.password' => NULL,
),
3. simplesamlphp-1\metadata\saml20-idp-hosted.php [for IDP initiated configuration]
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'my.key',
'certificate' => 'my.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-ldap',
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:
4. simplesamlphp-1\metadata\saml20-sp-remote.php [Service provider URLs to reach out]
$metadata['https://xxx.xxxxx.com/'] = array(
'AssertionConsumerService' => 'https://xxx.xxxxxxxxxx.com/xxxxxxxx/ACS/Post.aspx',
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'my.key',
'certificate' => 'my.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-ldap',
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:
attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
4. simplesamlphp-1\metadata\saml20-sp-remote.php [Service provider URLs to reach out]
$metadata['https://xxx.xxxxx.com/'] = array(
'AssertionConsumerService' => 'https://xxx.xxxxxxxxxx.com/xxxxxxxx/ACS/Post.aspx',
);
***In the above metadata['xxxxxx'] = do I need to specify domain of my service provider OR it is endpoint that they shared.
***In the above AssertionConsumerService = Do I need to provide target URL? should I get this target URL from Service provider?
5. Should I supply SAMLresponse, relystate, token etc via <form> hidden inputs to the end point URL of the service provider OR how do I take it further ?
NOTE: Please let me know did I missed anything in the above OR anything should I add more?
Sorry for too many question, I am very new to this SimpleSAMLPHP, so thought to get clear idea of what I am doing.
Thank you so much for all the response you provided.
Thanks in advance..
***In the above metadata['xxxxxx'] = do I need to specify domain of my service provider OR it is endpoint that they shared.
***In the above AssertionConsumerService = Do I need to provide target URL? should I get this target URL from Service provider?
5. Should I supply SAMLresponse, relystate, token etc via <form> hidden inputs to the end point URL of the service provider OR how do I take it further ?
NOTE: Please let me know did I missed anything in the above OR anything should I add more?
Sorry for too many question, I am very new to this SimpleSAMLPHP, so thought to get clear idea of what I am doing.
Thank you so much for all the response you provided.
Thanks in advance..
Jaime Perez Crespo
Aug 2, 2016, 3:35:27 AM8/2/16
to simple...@googlegroups.com
Hi Ganesh,
On 02 Aug 2016, at 09:00 AM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Jaime,
>
> Thanks for pointing out where I am going wrong, I have used the latest 2.0 documentation you have provided and I am trying to set the configuration part where I got a confusion. Kindly clarify it.
>
> 4. simplesamlphp-1\metadata\saml20-sp-remote.php [Service provider URLs to reach out]
And here, what you configure is not “URLs” for the service provider, you configure its metadata. In SAML, all the configuration is done via metadata. The first thing you should have done is to exchange metadata with the Service Provider.
> $metadata['https://xxx.xxxxx.com/'] = array(
> 'AssertionConsumerService' => 'https://xxx.xxxxxxxxxx.com/xxxxxxxx/ACS/Post.aspx',
> );
This is _extremely_ minimal configuration. You probably would want to use something else.
> ***In the above metadata['xxxxxx'] = do I need to specify domain of my service provider OR it is endpoint that they shared.
None. You need to specify the entity ID of the Service Provider.
> ***In the above AssertionConsumerService = Do I need to provide target URL? should I get this target URL from Service provider?
No, as the name indicates, you need to provide the Assertion Consumer Service URL.
Why don’t you just follow the documentation? It’s going to be much easier:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
"The identity provider you are configuring needs to know about the service providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-sp-remote.php and metadata/shib13-sp-remote.php.”
"Note that the URI in the entityID and the URLs to the AssertionConsumerService and SingleLogoutService endpoints change between different service providers. If you have the metadata of the remote SP as an XML file, you can use the built-in XML to SimpleSAMLphp metadata converter, which by default is available as /admin/metadata-converter.php in your SimpleSAMLphp installation.”
So do as it says. Get the metadata from the Service Provider, paste it into the metadata converter in the web interface, copy the resulting PHP code that you get in return, and paste it into the saml20-sp-remote.php file.
> 5. Should I supply SAMLresponse, relystate, token etc via <form> hidden inputs to the end point URL of the service provider OR how do I take it further ?
Well, if you want to implement SAML, yes. But I would assume you don’t want to do that, or you wouldn’t be using a third party library that does that for you, right? ;-)
Again, just follow the documentation. In the previous mails I pointed you to the documentation that tells you how to initiate an IdP-first flow with your SP. Of course that’s assuming you have everything else already configured, but anyway...
On 02 Aug 2016, at 09:00 AM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Jaime,
>
> Thanks for pointing out where I am going wrong, I have used the latest 2.0 documentation you have provided and I am trying to set the configuration part where I got a confusion. Kindly clarify it.
>
> 3. simplesamlphp-1\metadata\saml20-idp-hosted.php [for IDP initiated configuration]
This is not “for IdP initiated configuration”. You _always_ need to configure your own metadata, because that’s the way to configure your own SAML IdP. Other than that, looks good.
> 4. simplesamlphp-1\metadata\saml20-sp-remote.php [Service provider URLs to reach out]
> $metadata['https://xxx.xxxxx.com/'] = array(
> 'AssertionConsumerService' => 'https://xxx.xxxxxxxxxx.com/xxxxxxxx/ACS/Post.aspx',
> );
> ***In the above metadata['xxxxxx'] = do I need to specify domain of my service provider OR it is endpoint that they shared.
> ***In the above AssertionConsumerService = Do I need to provide target URL? should I get this target URL from Service provider?
Why don’t you just follow the documentation? It’s going to be much easier:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
"The identity provider you are configuring needs to know about the service providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-sp-remote.php and metadata/shib13-sp-remote.php.”
"Note that the URI in the entityID and the URLs to the AssertionConsumerService and SingleLogoutService endpoints change between different service providers. If you have the metadata of the remote SP as an XML file, you can use the built-in XML to SimpleSAMLphp metadata converter, which by default is available as /admin/metadata-converter.php in your SimpleSAMLphp installation.”
So do as it says. Get the metadata from the Service Provider, paste it into the metadata converter in the web interface, copy the resulting PHP code that you get in return, and paste it into the saml20-sp-remote.php file.
> 5. Should I supply SAMLresponse, relystate, token etc via <form> hidden inputs to the end point URL of the service provider OR how do I take it further ?
Again, just follow the documentation. In the previous mails I pointed you to the documentation that tells you how to initiate an IdP-first flow with your SP. Of course that’s assuming you have everything else already configured, but anyway...
Ganesh venu
Aug 2, 2016, 9:32:50 AM8/2/16
to SimpleSAMLphp
As per your last email, I have done certain changes in my configs, kindly check and let me know whether I understood and did it correctly or not. If not kindly provide some examples that I need to set in my config please.
My reply for the below points are marked in different color.
> 3. simplesamlphp-1\metadata\saml20-idp-hosted.php [for IDP initiated configuration]
This is not “for IdP initiated configuration”. You _always_
need to configure your own metadata, because that’s the way to configure
your own SAML IdP. Other than that, looks good. - I have copied my latest saml20-idp-hosted.php file, please have a look and correct me if I am wrong.
$metadata['my.drupal.site.domain.name'] = array(
$metadata['my.drupal.site.domain.name'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'my.key',
'certificate' => 'my.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-ldap',
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
** If I change host name then I could not see "SAML 2.0 IdP Metadata", attached screen shot at the top.
> 4. simplesamlphp-1\metadata\
saml20-sp-remote.php [Service provider URLs to reach out]
And here, what you configure is not “URLs” for the service
provider, you configure its metadata. In SAML, all the configuration is
done via metadata. The first thing you should have done is to exchange
metadata with the Service Provider.
> $metadata['https://xxx.xxxxx.com/'] = array(
> 'AssertionConsumerService' => 'https://xxx.xxxxxxxxxx.com/xxxxxxxx/ACS/Post.aspx',
> );
This is _extremely_ minimal configuration. You probably would want to use something else. - I have received sample XML file and I tried to do 'XML to SimpleSAMLphp metata coverter', I received error message. Attached screen shot of error.
> ***In the above metadata['xxxxxx'] = do I need to specify domain of my service provider OR it is endpoint that they shared.
None. You need to specify the entity ID of the Service Provider.
- What is entity ID here? will I get this from service provider?
Again, just follow the documentation. In the previous mails I pointed you to the documentation that tells you how to initiate an IdP-first flow with your SP. Of course that’s assuming you have everything else already configured, but anyway... - Is there any other config that I have to do? because in the above line you have mentioned "Of course that’s assuming you have everything else already configured".
Please help me out to complete it.
Thanks in advance.
Again, just follow the documentation. In the previous mails I pointed you to the documentation that tells you how to initiate an IdP-first flow with your SP. Of course that’s assuming you have everything else already configured, but anyway... - Is there any other config that I have to do? because in the above line you have mentioned "Of course that’s assuming you have everything else already configured".
Please help me out to complete it.
Thanks in advance.
On Friday, July 29, 2016 at 9:44:11 PM UTC+5:30, Ganesh venu wrote:
Jaime Perez Crespo
Aug 2, 2016, 10:10:48 AM8/2/16
to simple...@googlegroups.com
Hi again,
Please, try to just use plain text when replying here (well, and to emails in general). Many people uses email clients that don’t support HTML or have it disabled, and then it’s impossible to discern between the quoted text and your responses. Just use plain text and regular quotations, starting any line you want to quote with a “>” sign. If you want to keep a previous quote, just increment the level of indentation with “>>”. Most email clients handle this automatically for you.
I’ll reply inline:
On 02 Aug 2016, at 15:32 PM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Jaime,
>
> As per your last email, I have done certain changes in my configs, kindly check and let me know whether I understood and did it correctly or not. If not kindly provide some examples that I need to set in my config please.
>
> My reply for the below points are marked in different color.
>
> > 3. simplesamlphp-1\metadata\saml20-idp-hosted.php [for IDP initiated configuration]
>
>> This is not “for IdP initiated configuration”. You _always_ need to configure your own metadata, because that’s the way to configure your own SAML IdP. Other than that, looks good.
> $metadata['my.drupal.site.domain.name'] = array(
Why “my.drupal.site.domain.name”? Aren’t you setting up an IdP? What does drupal have to do in all this? Besides, you really don’t need to specify your own entity ID here, and if you do, it shouldn’t be a hostname, and you must also then configure the “entityID” configuration option in your authsource to match the one you specify here.
> ** If I change host name then I could not see "SAML 2.0 IdP Metadata", attached screen shot at the top.
What does “host name” mean here? You mean the index of the $metadata array? That’s probably because you didn’t specify the entityID to use in your auth source, as I said before. Just don’t touch the index of the array, SimpleSAMLphp will generate a unique entity ID for you.
> I have received sample XML file and I tried to do 'XML to SimpleSAMLphp metata coverter', I received error message. Attached screen shot of error.
The metadata converter is complaining because you passed a SAML response to it, which is NOT SAML metadata. SAML requests and responses are the minimal parts of the SAML protocol. SAML metadata is something else.
Did you receive this from the Service Provider? Did you ask for their SAML metadata? If you did, and they sent you a SAML response back, they clearly have no idea of what they are doing, which does not help here...
> > ***In the above metadata['xxxxxx'] = do I need to specify domain of my service provider OR it is endpoint that they shared.
>
>> None. You need to specify the entity ID of the Service Provider.
>> Again, just follow the documentation. In the previous mails I pointed you to the documentation that tells you how to initiate an IdP-first flow with your SP. Of course that’s assuming you have everything else already configured, but anyway…
Please, try to just use plain text when replying here (well, and to emails in general). Many people uses email clients that don’t support HTML or have it disabled, and then it’s impossible to discern between the quoted text and your responses. Just use plain text and regular quotations, starting any line you want to quote with a “>” sign. If you want to keep a previous quote, just increment the level of indentation with “>>”. Most email clients handle this automatically for you.
I’ll reply inline:
On 02 Aug 2016, at 15:32 PM, Ganesh venu <vgane...@gmail.com> wrote:
> Hi Jaime,
>
> As per your last email, I have done certain changes in my configs, kindly check and let me know whether I understood and did it correctly or not. If not kindly provide some examples that I need to set in my config please.
>
> My reply for the below points are marked in different color.
>
> > 3. simplesamlphp-1\metadata\saml20-idp-hosted.php [for IDP initiated configuration]
>
>> This is not “for IdP initiated configuration”. You _always_ need to configure your own metadata, because that’s the way to configure your own SAML IdP. Other than that, looks good.
> I have copied my latest saml20-idp-hosted.php file, please have a look and correct me if I am wrong.
Actually, nobody can tell you whether something is right or wrong for most of the options. For example, I don’t know if “my.key” is your private key and it’s available in the “cert” directory, and the same applies to “my.crt” as your certificate. For most part of the configuration, only you can tell if it’s right or not. If it’s not and you can’t tell yourself, the log should help you out.
> $metadata['my.drupal.site.domain.name'] = array(
Why “my.drupal.site.domain.name”? Aren’t you setting up an IdP? What does drupal have to do in all this? Besides, you really don’t need to specify your own entity ID here, and if you do, it shouldn’t be a hostname, and you must also then configure the “entityID” configuration option in your authsource to match the one you specify here.
> ** If I change host name then I could not see "SAML 2.0 IdP Metadata", attached screen shot at the top.
> I have received sample XML file and I tried to do 'XML to SimpleSAMLphp metata coverter', I received error message. Attached screen shot of error.
Did you receive this from the Service Provider? Did you ask for their SAML metadata? If you did, and they sent you a SAML response back, they clearly have no idea of what they are doing, which does not help here...
> > ***In the above metadata['xxxxxx'] = do I need to specify domain of my service provider OR it is endpoint that they shared.
>
>> None. You need to specify the entity ID of the Service Provider.
> What is entity ID here? will I get this from service provider?
An entity ID is a unique identifier for a SAML entity. You don’t even need to know it. If you parse their metadata with the metadata converter, you will get it from there, and what you will get back will be enough to get you going. But you need to get the metadata from the SP. If they don’t know what their metadata is or how to obtain it, they certainly won’t be able to use SAML with no one else.
>> Again, just follow the documentation. In the previous mails I pointed you to the documentation that tells you how to initiate an IdP-first flow with your SP. Of course that’s assuming you have everything else already configured, but anyway…
> Is there any other config that I have to do? because in the above line you have mentioned "Of course that’s assuming you have everything else already configured”.
No, I was just talking in general, meaning your metadata, the SP’s metadata, and the general configuration. From what I see, your configuration / own IdP metadata is still wrong, and you don’t even have metadata for the SP, so there’s still a lot to do for you...
Ganesh venu
Aug 3, 2016, 1:15:37 PM8/3/16
to SimpleSAMLphp
Hi Jaime,
Thank you so much for all your help and response for the emails. I have achieved as expected and the configuration is working fine now.
Thank you once again for all your support :) :)
Thank you so much for all your help and response for the emails. I have achieved as expected and the configuration is working fine now.
Thank you once again for all your support :) :)
On Friday, July 29, 2016 at 9:44:11 PM UTC+5:30, Ganesh venu wrote:
Reply all
Reply to author
Forward
0 new messages