> After seeing a very interesting presentation for simplasamlphp a
> couple of weeks ago at Athens, I decided to take a look at
> simplesamlphp. At this point I am trying to get it to work as a SAML2
> SP and communicate with an Internet2 Shibboleth IdP (version 2.1 -
> latest).
> As you can probably guess from the subject, I am getting the despised
> "Could not find the NameID node in a Subject node" error when
> returning to the SP after authenticating. From previous messages on
> the list, I can see that php>=5.2 is required, but I already have
> php5-5.2.6_2 (on FreeBSD). So it shouldn't be that.
Hi Athanasios,
I would suggest that we try to take a look at the Authentication
Response sent from Shibboleth to simplesAMLphp, to see if there is
something strange in there. (in example if the NameID is missing)
If you use Firefox, try to install the LiveHttpHeaders plugin, and
watch the HTTP headers. Then you will see the POST data sent to the
SP. Copy the message into a base64 decoder...
http://ostermiller.org/calc/encode.html
Then show us the message :)
Alternatively, give us an URL and a test login account, and we may do
the liveheaders things.
Kind regards,
Andreas
Sure, this works just fine. Like Janusz said (and can be found in this
lists' archives), you'd need to disable encryption of NameIDs at the
Shib IdP, since simpleSAMLphp doesn't yet support encrypted NameIDs
(which is the default with Shib2).
If you don't want to disable this for all relying parties just add
another RelyingParty element to your conf/relying-party.xml, overrding
the SAML2SSOProfile configuration for this given SP:
<RelyingParty id="https://entityId.of.yoursp.example.org/saml2"
provider="<entityId of your IdP>"
defaultSigningCredentialRef="IdPCredential" >
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptNameIds="never" />
</RelyingParty>
Note that unless you enabled automagic reloading of relying party
config in the Shib IdP this change will require you to restart the IdP
application (or the container).
cheers,
-peter
It was recently suggested on the shibboleth-users list to change
Shib's default to not encrypt NameIDs inside encrypted assertions, so
even this small config change at the IdP might not be necessary in
future releases.
Also note that simplesamlphp can generate metadata for
saml20-idp-remote.php from the IdP's SAML2 metadata (XML), this way
you'll also get the certFingerprint calculated automagically (and
don't need to fiddle with idp.crt and openssl.
cheers,
-peter
My little contribution is this article which try to sum up these tricks:
http://www.zeitoun.net/articles/configure-simplesaml-1.3-sp-and-shibboleth-2.1-idp/start
I hope it will help someone.
Very interesting to keep it simple ! But how ? I don't see any
configuration variable on the official doc.
http://rnd.feide.no/content/using-simplesamlphp-service-provider
On Wed, Jan 7, 2009 at 7:37 AM, Andreas Åkre Solberg
<andreas...@uninett.no> wrote:
> Thanks a lot. I hope you don't mind that I put a link up on
> http://rnd.feide.no/view/simplesamlphpdocs
No problem.
regards,
Stéphane Gully
Assess your simpleSAMLphp install via the web (possibly providing the
auth.adminpassword set in config/config.php), there's you'll find a
link entitled "XML to simpleSAMLphp metadata converter" (depending on
the language setting), leading to simething like
https://yourhost.example.org/<simpleSAMLphp-webpath>/admin/metadata-converter.php
cheers,
-peter
--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140