Caused by: Exception: Unable to find the current binding (Safari)

[Rick Warren]

We have several simpleSAMLphp Service Providers and an Identity Provider set up and working.  LDAP is used for federation.

Everything works fine, except for Safari web browsers, or the first time that any web browser is used to log in.  In those circumstances the user gets an Unhandled Exception error is displayed stating that it is Unable to find the current binding.


This happens with both Idp inititated login, and SP initiated login methods.


This is a snippet from saml20-sp-remote.php on the Idp:

$metadata['default-sp'] = array(
        'AssertionConsumerService' => array(
                0 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                        'Location' => 'https://sp.example.org/sdauth/module.php/saml/sp/saml2-acs.php/default-sp',
                        ),
                1 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                        'Location' => 'https://sp.example.org/sdauth/module.php/saml/sp/saml2-acs.php/default-sp',
                        ),
                ),
        'SingleLogoutService' => array(
                0 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                        'Location' => 'https://sp.example.org/sdauth/module.php/saml/sp/saml2-logout.php/default-sp',
                        ),
                1 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                        'Location' => 'https://sp.example.org/sdauth/module.php/saml/sp/saml2-logout.php/default-sp',
                        ),
                ),
);


And this is snippet from saml20-idp-remote.php on the SP:

 $metadata['https://idp.example.org'] = array (
        'SingleSignOnService' => array(
                0 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                        'Location' => 'https://idp.example.org/sdauth/saml2/idp/SSOService.php',
                        ),
                1 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                        'Location' => 'https://idp.example.org/sdauth/saml2/idp/SSOService.php',
                        ),
                ),
        'SingleLogoutService' => array (
                0 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
                        'Location' => 'https://idp.example.org/sdauth/saml2/idp/SingleLogoutService.php',
                        ),
                1 => array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                        'Location' => 'https://idp.example.org/sdauth/saml2/idp/SingleLogoutService.php',
                        ),
                ),
        'certFingerprint' => '<Not Included For Security Purposes>',
);


Snippet from authsources.php:

'default-sp' => array(
                'saml:SP',

                // The entity ID of this SP.
                // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
                'entityID' => 'default-sp',

                // The entity ID of the IdP this should SP should contact.
                // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
                'idp' => 'https://idp.example.org',

                // The URL to the discovery service.
                // Can be NULL/unset, in which case a builtin discovery service will be used.
                'discoURL' => NULL,
        ),


Any help anyone can offer would be greatly appreciated.

Thank you in advance.

[Thijs Kinkhorst]

Hi Rick,

Op maandag 30 december 2013 23:11:28 schreef Rick Warren:

> We have several simpleSAMLphp Service Providers and an Identity Provider
> set up and working. LDAP is used for federation.
>
> Everything works fine, except for Safari web browsers, or the first time
> that any web browser is used to log in. In those circumstances the user
> gets an Unhandled Exception error is displayed stating that it is Unable
> to find the current binding.

If it only doesn't work in some browsers or on some use of a browser, my
suspicion would go to some kind of cookie problem. That is, something in your
setup makes cookies disappear. One reason may be that your install is
accessible over both http and https, and something redirects back to http.

A good way to debug this is to use one of the various web developer plugins
available for browsers and inspect what exactly happens with your cookies.



--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl

[Rick Warren]

Thank you so much.  Our IDP had 'enable.http_post' set to TRUE by accident.  I believe this was the cause of the issue.  Still testing now, but hopefully I will not need to come back for more advice!  Thank you. 

[Rick Warren]

On Thursday, January 2, 2014 12:48:03 AM UTC-8, Thijs Kinkhorst wrote:

I take it back. I spoke too soon. Still happening. 

Our SP and IDP are on different domains.  But that shouldn't matter should it?   we're getting cookies for both domains according to various web tools.

[Rick Warren]

On Thursday, January 2, 2014 12:48:03 AM UTC-8, Thijs Kinkhorst wrote:

See attached image.  It shouldn't have check mark under http should it?  that refers to httpOnly does it not?

[Rick Warren]

For anyone wanting to know what the solution was:

We were using an unsigned SSL certificate on our testing servers.  Safari lost its binding when it would ask you if you would like to continue despite the certificate not being signed.  We purchased a signed SSL Certificate for our testing domain, and issue was resolved.