Simplesamlphp not working with oneLogin
974 views
Skip to first unread message
sharma.n...@gmail.com
Jul 10, 2018, 8:52:21 AM7/10/18
to SimpleSAMLphp
We have setup SAML IDP initiated on OneLogin and use Simplesamlphp as SP initiated.
After OneLogin authentication send SAML Response(unsigned SAML Response with an unsigned Assertion ) on Assertion Consumer URL on this we have added simplesamlphp library code like:-
$as = new SimpleSAML_Auth_Simple('onelogin-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
but simplesamlphp is not authenticate OneLogin SAML Resposne and continuously redirecting to OneLogin.
And OneLogin redirecting to SimpleSamlPHP.
Please give me some suggestion for fix this.
Peter Schober
Jul 10, 2018, 9:31:48 AM7/10/18
to SimpleSAMLphp
* sharma.n...@gmail.com <sharma.n...@gmail.com> [2018-07-10 14:52]:
Not sure I understand correctly, but if OneLogin does not sign its
responses nor assertions I wouldn't bother using it, at all.
That would be a joke of a service. Anyone could send plain text (XML)
to your SP and claim to be whoever from the onelogin IDP, if that were
so.
-peter
> After OneLogin authentication send SAML Response(unsigned SAML Response
> with an unsigned Assertion ) on Assertion Consumer URL on this we have
> added simplesamlphp library code like:-
>
> $as = new SimpleSAML_Auth_Simple('onelogin-sp');
> $as->requireAuth();
> $attributes = $as->getAttributes();
>
> but simplesamlphp is not authenticate OneLogin SAML Resposne and
> continuously redirecting to OneLogin.
And your SimpleSAMLphp logs are saying that?
> with an unsigned Assertion ) on Assertion Consumer URL on this we have
> added simplesamlphp library code like:-
>
> $as = new SimpleSAML_Auth_Simple('onelogin-sp');
> $as->requireAuth();
> $attributes = $as->getAttributes();
>
> but simplesamlphp is not authenticate OneLogin SAML Resposne and
> continuously redirecting to OneLogin.
Not sure I understand correctly, but if OneLogin does not sign its
responses nor assertions I wouldn't bother using it, at all.
That would be a joke of a service. Anyone could send plain text (XML)
to your SP and claim to be whoever from the onelogin IDP, if that were
so.
-peter
sharma.n...@gmail.com
Jul 10, 2018, 9:57:52 AM7/10/18
to SimpleSAMLphp
Thanks for your response.
Please see below code for SimpleSAMLPHP SP:-
In authsources.php
'onelogin-sp' => array(
'saml:SP',
'entityID' => null, //http://adfs.addivant.com/adfs/services/trust
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
'discoURL' => null,
'sign.logout' => TRUE,
'redirect.sign' => TRUE,
'assertion.encryption' => FALSE,
'privatekey' => 'XXXXXX.key',
'certificate' => 'XXXXXX.crt',
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
),
And saml20-idp-remote.php
$metadata['https://app.onelogin.com/saml/metadata/0604a78f-eca2-42d6-90da-2ffcbd7921ea'] = array (
'contacts' =>
array (
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIEMjCCAxqgAwIBAgIUWksf35P4QHQVrG+n7M15h3VSLi0wDQYJKoZIhvcNAQEF
BQAwYTELMAkGA1UEBhMCVVMxGTAXBgNVBAoMEEdhbGF4eSBXZWIgTGlua3MxFTAT
BgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAx
Mjg4MDIwHhcNMTgwNjEyMTA0NTM0WhcNMjMwNjEyMTA0NTM0WjBhMQswCQYDVQQG
EwJVUzEZMBcGA1UECgwQR2FsYXh5IFdlYiBMaW5rczEVMBMGA1UECwwMT25lTG9n
aW4gSWRQMSAwHgYDVQQDDBdPbmVMb2dpbiBBY2NvdW50IDEyODgwMjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN866M+9/IEYbbbnWhdWKfbTvuYata9f
HUXnqaZWlke80fNuvHqgzYcRPOH4N/r5GdfCt2YX7af9p0ztARFSRSYLtj/Hru03
MD/x7FkLwjYVSUfHrAvJOSxl5ikJUTW3Sc+4ZaiEvvbHRJRqAYtuHpHLi2DH8FlO
z1uKl/IwCfZDKiUPAs0NMA126xMSC9vzeHRQfXfZXgUNUat37M6eFnOnTuZJplGq
G8xfHoI0ZRxavilXy3wfvaxggx9jKcgC+52hnTzcVXfP0YDbsh/RDuTHW4yoQHkc
elnLSjd0KGpnDYMyzajGjjpWkz9yx59zQu7M4q14l3gYXUtUplrQyKUCAwEAAaOB
4TCB3jAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS8E+gabKmM/9rviiyO9Q5IpC10
2jCBngYDVR0jBIGWMIGTgBS8E+gabKmM/9rviiyO9Q5IpC102qFlpGMwYTELMAkG
A1UEBhMCVVMxGTAXBgNVBAoMEEdhbGF4eSBXZWIgTGlua3MxFTATBgNVBAsMDE9u
ZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMjg4MDKCFFpL
H9+T+EB0Faxvp+zNeYd1Ui4tMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUF
AAOCAQEAl/+OhETU4DWd2YbB7ZkuZSPbFvavdjuGAb18DWJl6RgqDjsf7T9A7hhN
RLYE7WWprz9meGDMmxrEQIw6mbiprfoNhcCZZQe6z8/kwkz50vW9Ov9hEiu+S1c2
wvyPCmSJ2pSfgIpploTbvxzPVxOTEObWImjXZBWsC3yfK+ZrXgYZWA3BVInhMukp
KJvFW8MNQVlTE9f+Y2jxSbJ5jNh2RXSj6agXW/EzkEJCgH4JaWjmMpBfHku2kb4m
umUAmoMSNRjMyFz88h2g631BaorMCmYzenktuH9uoUK/zTClO9yjrgHLf81eTm2D
lECryaugCXdI0oRjBqKJ/Xmy6b7qAA==',
),
),
);
And my onelogin access url and credentials.
Thanks
Peter Schober
Jul 10, 2018, 10:05:46 AM7/10/18
to SimpleSAMLphp
* sharma.n...@gmail.com <sharma.n...@gmail.com> [2018-07-10 15:57]:
If you're seeing a loop you must look at your log files (SSP,
webserver) and possibly at your browser (and the cookie requests and
responses it processes) to find out why.
The only other thing I said was that if the IDP you're using does not
support signing its responses or assertions you should not use it.
A SAML 2.0 IDP that does not sign is security theatre of the highest
order.
-peter
> Please see below code for SimpleSAMLPHP SP:-
I have no idea why you just posted your SSP authsource and metadata.
If you're seeing a loop you must look at your log files (SSP,
webserver) and possibly at your browser (and the cookie requests and
responses it processes) to find out why.
The only other thing I said was that if the IDP you're using does not
support signing its responses or assertions you should not use it.
A SAML 2.0 IDP that does not sign is security theatre of the highest
order.
-peter
sharma.n...@gmail.com
Jul 13, 2018, 8:09:10 AM7/13/18
to SimpleSAMLphp
Thanks for your response.
We have also checked error log file in this file no error are mentioned related to SAML and then checked on onelogin activity in this found SAML error like:-
Assertion Consumer Service URL not whitelisted.
Attempting ACS: https://www.learningblox.com/*****/*****/saml2-acs.php/sso-sp.
Assertion sent to: https://www.learningblox.com/saml
Attempting ACS: https://www.learningblox.com/*****/*****/saml2-acs.php/sso-sp.
Assertion sent to: https://www.learningblox.com/saml
Please give me suggestion for fix this.
Thanks
Peter Schober
Jul 13, 2018, 8:19:02 AM7/13/18
to SimpleSAMLphp
* sharma.n...@gmail.com <sharma.n...@gmail.com> [2018-07-13 14:09]:
> and then checked on onelogin activity in this found SAML error
> like:-
>
> Assertion Consumer Service URL not whitelisted.
> Attempting ACS:
> https://www.learningblox.com/*****/*****/saml2-acs.php/sso-sp.
> Assertion sent to: https://www.learningblox.com/saml
>
> Please give me suggestion for fix this.
You'd have to ask the IDP.
If I had to guess what that means (this is not a OneLogin support
forum) I'd say you have given them incorrect SAML 2.0 Metadata (or
have configured the IDP incorrectly in some other fashion).
That shouldn't ever lead to looping, though, if the IDP refuses to
even send a reply to the configured endpoint at the SP.
So the error above does not match your problem description that
OneLogin is sending SAML Responses to your SP.
-peter
> We have also checked error log file in this file no error are mentioned
> related to SAML
I also said more about cookies and finding out why you're looping.
> related to SAML
> and then checked on onelogin activity in this found SAML error
> like:-
>
> Assertion Consumer Service URL not whitelisted.
> Attempting ACS:
> https://www.learningblox.com/*****/*****/saml2-acs.php/sso-sp.
> Assertion sent to: https://www.learningblox.com/saml
>
> Please give me suggestion for fix this.
If I had to guess what that means (this is not a OneLogin support
forum) I'd say you have given them incorrect SAML 2.0 Metadata (or
have configured the IDP incorrectly in some other fashion).
That shouldn't ever lead to looping, though, if the IDP refuses to
even send a reply to the configured endpoint at the SP.
So the error above does not match your problem description that
OneLogin is sending SAML Responses to your SP.
-peter
Reply all
Reply to author
Forward
0 new messages