Configuring simplesamlphp as IDP for SugarCRM (SP)

[Anindayu Pradetha]

Hi,

So, I have finally configured my simplesamlphp to act as an IDP which authenticates against my linOTP users. Now, I want to connect the IDP to my SugarCRM which is acting as my SP. Whenever I go to my SugarCRM and click Log In, it should have redirected me to the simplesamlphp SSO link which is: https://service.example.com/simplesaml/saml2/idp/SSOService.php, instead it is giving me this error:

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'php-saml\'')

Backtrace:
3 /var/simpleidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:305 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 /var/simpleidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:325 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 /var/simpleidp/modules/saml/lib/IdP/SAML2.php:303 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /var/simpleidp/www/saml2/idp/SSOService.php:19 (N/A)

So I went and tried to open the SSO link itself (https://service.example.com/simplesaml/saml2/idp/SSOService.php) and got this error:

SimpleSAML_Error_Error: SSOPARAMS

Backtrace:
0 /var/simpleidp/www/saml2/idp/SSOService.php:22 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /var/simpleidp/vendor/simplesamlphp/saml2/src/SAML2/Binding.php:97 (SAML2_Binding::getCurrentBinding)
1 /var/simpleidp/modules/saml/lib/IdP/SAML2.php:292 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) 

0 /var/simpleidp/www/saml2/idp/SSOService.php:19 (N/A)

Does anyone know what I am doing wrong? Here is what my SP configuration looks like in simplesamlphp:

metadata/saml20-sp-remote.php

<?php 

$metadata['https://example.sugarondemand.com'] = array( 

           'AssertionConsumerService' => 'https://example.sugarondemand.com/index.php?module=Users&action=Authenticate&dataOnly=1&platform=base', 

);

config/authsources.php

$config = array(

    'admin' => array(

        'core:AdminPassword',

    ),

    'default-sp' => array(

        'saml:SP',

        'entityID' => 'https://example.sugarondemand.com/index.php?module=Users&action=Authenticate&dataOnly=1&platform=base',

        'idp' => null,

        'discoURL' => null,

    ),

[Patrick Radtke]

On Monday, January 30, 2017 at 11:25:40 AM UTC-8, Anindayu Pradetha wrote:

Hi,

So, I have finally configured my simplesamlphp to act as an IDP which authenticates against my linOTP users. Now, I want to connect the IDP to my SugarCRM which is acting as my SP. Whenever I go to my SugarCRM and click Log In, it should have redirected me to the simplesamlphp SSO link which is: https://service.example.com/simplesaml/saml2/idp/SSOService.php, instead it is giving me this error:

So you are saying the below error is from SugarCRM? If so, it sounds like your SugarCRM isn't configured correctly.

To me, the error looks like it is coming from your SSP IDP and the redirect is happening. The error is saying that it can't find metadata for 'php-saml'. 

SugarCRM is saying its entityId is 'php-saml' when making an AuthnRequest to the IDP and the IDP doesn't have that metadata. So you can either fix the entityId in SugarCRM, or fix the metadata you are providing to your IDP

 

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'php-saml\'')

Backtrace:
3 /var/simpleidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:305 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 /var/simpleidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:325 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 /var/simpleidp/modules/saml/lib/IdP/SAML2.php:303 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /var/simpleidp/www/saml2/idp/SSOService.php:19 (N/A)

So I went and tried to open the SSO link itself (https://service.example.com/simplesaml/saml2/idp/SSOService.php) and got this error:

SimpleSAML_Error_Error: SSOPARAMS

Backtrace:
0 /var/simpleidp/www/saml2/idp/SSOService.php:22 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /var/simpleidp/vendor/simplesamlphp/saml2/src/SAML2/Binding.php:97 (SAML2_Binding::getCurrentBinding)
1 /var/simpleidp/modules/saml/lib/IdP/SAML2.php:292 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) 

0 /var/simpleidp/www/saml2/idp/SSOService.php:19 (N/A)

You haven't made a proper SAML request to the endpoint so you get an error. 

 

Does anyone know what I am doing wrong? Here is what my SP configuration looks like in simplesamlphp:

metadata/saml20-sp-remote.php

<?php 

$metadata['https://example.sugarondemand.com'] = array( 

           'AssertionConsumerService' => 'https://example.sugarondemand.com/index.php?module=Users&action=Authenticate&dataOnly=1&platform=base', 

);

Why is your SP defining remote SP metadata? Normally you would only put this on the IdP

 

config/authsources.php

$config = array(

    'admin' => array(

        'core:AdminPassword',

    ),

    'default-sp' => array(

        'saml:SP',

        'entityID' => 'https://example.sugarondemand.com/index.php?module=Users&action=Authenticate&dataOnly=1&platform=base',

        'idp' => null,

        'discoURL' => null,

    ),

I've seen 3 different entityIds defined for your SugarCRM in your message. 

I also thought sugarondemand just provided a web UI for configuring SAML.

[Jaime Perez Crespo]

Hi Anindayu,

On 30 Jan 2017, at 20:25 PM, Anindayu Pradetha <anindayu...@gmail.com> wrote:
> Hi,
>
> So, I have finally configured my simplesamlphp to act as an IDP which authenticates against my linOTP users. Now, I want to connect the IDP to my SugarCRM which is acting as my SP. Whenever I go to my SugarCRM and click Log In, it should have redirected me to the simplesamlphp SSO link which is: https://service.example.com/simplesaml/saml2/idp/SSOService.php, instead it is giving me this error:
>
> SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'php-saml\'')
> Backtrace:
> 3 /var/simpleidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:305 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
> 2 /var/simpleidp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:325 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
> 1 /var/simpleidp/modules/saml/lib/IdP/SAML2.php:303 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
> 0 /var/simpleidp/www/saml2/idp/SSOService.php:19 (N/A)

Actually, it is pretty clear it redirected you there. The error is on the IdP, telling you that it doesn’t know an SP with entityID “php-saml”.

> So I went and tried to open the SSO link itself (https://service.example.com/simplesaml/saml2/idp/SSOService.php) and got this error:

You can’t do that. That’s not a “SSO link”, its the “SAML 2 Single Sign On Service endpoint”, and it’s intended to receive SAML 2 requests, not to be accessed directly.

> SimpleSAML_Error_Error: SSOPARAMS
> Backtrace:
> 0 /var/simpleidp/www/saml2/idp/SSOService.php:22 (N/A)
> Caused by: Exception: Unable to find the current binding.
> Backtrace:
> 2 /var/simpleidp/vendor/simplesamlphp/saml2/src/SAML2/Binding.php:97 (SAML2_Binding::getCurrentBinding)
> 1 /var/simpleidp/modules/saml/lib/IdP/SAML2.php:292 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
>
> 0 /var/simpleidp/www/saml2/idp/SSOService.php:19 (N/A)
>
>
> Does anyone know what I am doing wrong?

Yes: you didn’t read the documentation :-)

https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7

> Here is what my SP configuration looks like in simplesamlphp:

You mean your IdP configuration, right? Because you are running SimpleSAMLphp as an IdP...

> metadata/saml20-sp-remote.php
> <?php
> $metadata['https://example.sugarondemand.com'] = array(
> 'AssertionConsumerService' => 'https://example.sugarondemand.com/index.php?module=Users&action=Authenticate&dataOnly=1&platform=base',
> );

This is wrong. I don’t know how you generated that metadata, but it’s wrong. Instead, follow the documentation: get the SAML2 metadata from the SP, parse it with SimpleSAMLphp, and paste the parsed contents into this file.

> config/authsources.php
> $config = array(
> 'admin' => array(
> 'core:AdminPassword',
> ),
> 'default-sp' => array(
> 'saml:SP',
> 'entityID' => 'https://example.sugarondemand.com/index.php?module=Users&action=Authenticate&dataOnly=1&platform=base',
> 'idp' => null,
> 'discoURL' => null,
> ),

This is wrong too. If you are an IdP, there’s no reason to configure a SAML authentication source (and even less to configure that URL as its entityID).

Are you following any tutorial? If so, please share so that we can ask them to fix it, and read the official documentation instead.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Anindayu Pradetha]

Hi Jaime,

I was able to figure out what was wrong with my configuration (you were right, I was using the wrong SP entity ID). Now, I have another problem - after going to my SugarCRM page and clicking Log In, it redirects me to the SSO page in which I have to enter my credentials. I enter my credentials (username and 2FA password), however, when I click login, it brings me to this page:

 

What else am I configuring incorrectly? Is this a simplesaml issue or an issue on sugarcrm?

Thanks,

Anindayu

[Patrick Radtke]

That looks like an error from SugarCRM.

If you have the SAML tracer plugin installed in Firefox you could at least see if your IdP is responding with an error or with attributes. That may help you narrow things down.

[hay...@grafezia.com]

hi Anindayu , can you please share your experince configuring the idp and from where can i get the X.509 certificate. 

thanks in advance