Message received on authentication request endpoint wasn't an authentication request Reply
Jon
I am trying to understand SAML and decided to see what I could get
going with simplesamlphp. I downloaded and installed v1.6
successfully, followed the SP Quickstart Guide and signed up on
openidp.feide.no. I believe I followed all the steps correctly. When
I go to "Authentication" : "Test configured authentication sources." :
"default-sp" I get redirected to the nice looking openidp.feide.no
login page (as expected). After providing my username and password, I
end up at an openidp.feide.no page which tells me "Bad request
received". The interesting part is:
BADREQUEST('%REASON%' => 'Message received on authentication request
endpoint wasn\'t an authentication request.')
0: /var/simplesamlphp-openidp/modules/saml/lib/IdP/SAML2.php:230
(sspmod_saml_IdP_SAML2::receiveAuthnRequest)
1: /var/simplesamlphp-openidp/www/saml2/idp/SSOService.php:19 (N/A)
Also interesting is that subsequent trips through this procedure do
bypass the username/password login page, so I think my login to
openidp is succeeding. (I couldn't figure out how to logout; I've been
resetting my browser).
I also watched the tutorial video but it appeared to be for an older
version (1.0?) and looked at the rest of the SP documentation for
v1.6. I can't tell for sure but I'm starting to think I need to
create a configuration for a "hosted SP." There is no
saml20-sp-hosted.php file in metadata-templates, but it looks like
there was one in the video.
I think a combination of being new to the mental model of IdPs and SPs
is also preventing me from figuring out what I'm missing. I *think*
when I am testing my authentication sources I am effectively using
openidp to authenticate to my own web service on my own server, which
happens to only contain simplesamlphp at the moment.
Any tips are much appreciated!
Thanks,
-Jon
Andreas Åkre Solberg
On 23. juni2010, at 09:24, Jon wrote:
> I am trying to understand SAML and decided to see what I could get
> going with simplesamlphp. I downloaded and installed v1.6
> successfully, followed the SP Quickstart Guide and signed up on
> openidp.feide.no. I believe I followed all the steps correctly. When
> I go to "Authentication" : "Test configured authentication sources." :
> "default-sp" I get redirected to the nice looking openidp.feide.no
> login page (as expected). After providing my username and password, I
> end up at an openidp.feide.no page which tells me "Bad request
> received". The interesting part is:
>
> BADREQUEST('%REASON%' => 'Message received on authentication request
> endpoint wasn\'t an authentication request.')
Is your simplesaml installation publicly accessible? If you give us the url, we can debug the redirection flow.
Andreas
Jonathan McCune
Thanks,
-Jon
2010/6/23 Andreas Åkre Solberg <andreas...@uninett.no>:
Andreas Åkre Solberg
On 23. juni2010, at 10:05, Jonathan McCune wrote:
> http://bigleadpipes.com/simplesaml-sp2/
For some reason your registered SP contains an empty endpoint for AssertionConsumerService.
Can you please edit your SP entry here:
https://openidp.feide.no/simplesaml/module.php/metaedit/index.php
And check the SAML 2.0 tab after editing your entry, filling in the correct endpoints.
Andreas
Jonathan McCune
I believe that did the trick. Thanks for your help!
-Jon
2010/6/23 Andreas Åkre Solberg <andreas...@uninett.no>:
>
John Tibbetts
First note that I'm a different John (with an 'h') from the Jon who wrote this note. I've just got my first SimpleSAML interactions flowing last night (nice!) but had the totally identical experience with the other Jon below. (I have seen the followup notes and the solution that Andreas has pointed to). I was just about to write in my experience this morning when I saw these notes.
I also followed the instructions and watched the video. I also got the "Message wasn't an authentication request". I also noted the discrepancies between the Quickstart and the current version. I think I took it a bit farther than Jon in that I then started using Subversion to download older versions to see when the docs diverged from the codeline. (About 1.3, right?).
So rather than write the identical note as Jon let me just add the diffs in our comments.
I did finally get it running doing one or all of the following (I'm not sure which finally did the trick):
1. I named my authsources explicitly and got rid of 'default-sp'. (I think this change was the one that did the trick).
2. I created a saml20-sp-hosted.php by simply copying the 'wsfed-sp-hosted.sp'...these *-sp-host all seem generic anyway.
3. Why is saml20-sp-hosted.php missing from the distro?. This file plays prominently in the video and other docs. With it missing I wasn't sure where I was at.
4. And maybe something else I fiddled with and now forgotten.
Once it started working with the Feide site I then retargeted it to the OpenSSO IdP I'm really using and it started working too.
Points:
1. You've probably heard this before: but Quickstart (and the video) are out-of-date. And given that, for a newbie, SimpleSAML arrives DOA. The docs say more than once that on arrival it is configured for Feide, but it is not. And like Jon I assumed it was my mental model, or my firewall, or a myriad of other factors.
2. OTOH I greatly prefer the SimpleSAML over say OpenSSO which I've also spent a lot of time with. SimpleSAML is small and comprehensible. OpenSSO is huge and impenetrable. I've spent more time trying to get a single Policy Agent installed with OpenSSO than I have spent getting SimpleSAML running.
I can't believe it's only 9000 lines of code. I'm in awe.
Cheers,
John
> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
>
Andreas Åkre Solberg
> 1. You've probably heard this before: but Quickstart (and the video) are out-of-date. And given that, for a newbie, SimpleSAML arrives DOA. The docs say more than once that on arrival it is configured for Feide, but it is not. And like Jon I assumed it was my mental model, or my firewall, or a myriad of other factors.
About the video; you cannot be more correct. The video is very old, and I've added a note on the video page referring to the documentation regarding how to install a more recent version of simplesamlphp. Thanks for this tips.
When you are saying that the Quickstart is out of date; I would like to know on what URL you are reading the quickstart, to be sure that we are discussing the same document.... May be there is an old version out there, that I have not successfully redirected to the latest version.
Looking forward to hear from you again,
kind regards,
Andreas
John Tibbetts
I used the Quickstart from the website. It says version 1.6.
I followed the steps as closely as I could and redid the full installation several times. Each ended in
BADREQUEST('%REASON%' => 'Message received on authentication request
endpoint wasn\'t an authentication request.')
I also checked the mailing list archive for matches on this message and didn't come up with anything. (Of course if I'd waited 48 hours) I would have seen Jon's note. :=}
John
Jonathan McCune
http://simplesamlphp.org/docs/1.6/simplesamlphp-sp
Below are a few things that I found confusing, that might be worth
clarifying. Please interpret this as constructive criticism. On the
whole I feel you have a very nice project. Coming at this totally
green and trying to comprehend all that I could find on Google, I
chose simpleSAMLphp. :)
In Section 4, there is talk of copying things from templates.
However, to a first approximation the templates are already in the
"production" directories, so this step was unnecessary for using the
Feide OpenIdP. I might suggest clearly separating "using the defaults
with Feide" and "how to roll your own", or something along those
lines.
In v1.6 one must click "Federation" : "Show metadata" to get the XML
metadata to paste in the IdP. Currently the instructions say
"(described below)" but I couldn't confidently put my finger on
precisely which text below it meant.
It would also be good to add some suggestions as to what to put in the
SAML 2.0 fields on the openidp.feide.no page just to convince oneself
that the whole process is working, i.e., AssertionConsumerService
endpoint and SingleLogoutService endpoint. Or at least make clear
that Step 5 (Test the SP) isn't going to work before those fields are
populated.
I still don't actually know what to put in those fields to get
redirected back to the test page. When I previously said it worked, I
just meant that it redirected to a link of my choosing and did not
give any errors. I don't actually have a web resource to which users
are authenticating at the moment, so I'm not under time pressure to
take it further just yet.
Hope this helps,
-Jon
2010/6/23 Andreas Åkre Solberg <andreas...@uninett.no>:
Olav Morken
Thank you for the detailed feedback. I have attempted to rewrite
section 4 a bit. Please have a look, and see whether this is more
clear:
http://simplesamlphp.org/docs/1.6/simplesamlphp-sp#section_4
I also fixed a bug in the OpenIdP, so the AssertionConsumerService
and SingleLogoutService fields should now be populated automatically
when pasting XML metadata.
--
Olav Morken
UNINETT / Feide
Jonathan McCune
That seems much more clear to me. I just deleted and made a new entry
for my SP on openidp.feide.no, and it worked immediately after pasting
the metadata.
Thanks,
-Jon