how can I Edit the reply url in response by using simplesamlphp1.15.4???
756 views
Skip to first unread message
Hon Hei Hui
Mar 5, 2021, 4:52:51 AM3/5/21
to SimpleSAMLphp
Reply url in the authentication request is:
http://test.pxxxxx.dxxxxl/test_xxxx/sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp
Reply url (Redirect URI) registered in the Application is:
May I change the Reply url in the authentication request path to the format like below??
since i cannot find the method or the way to edit the reply url in use of simplesamlphp and i am using version 1.15.4.
Thank you for your reading!
Peter Schober
Mar 5, 2021, 6:31:46 AM3/5/21
to SimpleSAMLphp
* Hon Hei Hui <andyh...@gmail.com> [2021-03-05 10:52]:
of the SAML SP where the IDP should send the response to?
Well, if the SP requests that then the IDP must verify location
(e.g. using metadata the IDP has describing the SP) and if it's OK the
IDP will send the response there.
> Reply url (Redirect URI) registered in the Application is:
> https://pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/reply
What's the purpose of that URL?
Registered in what application? How?
The only "Redirect URI" I can think of is the IDP's SSO protocol
endpoint, i.e., where the SP should send an authentication request
to. But that has nothing to do with where the SP would *receive*
responses.
> May I change the Reply url in the authentication request path to the
> format like below??
> since i cannot find the method or the way to edit the reply url in
> use of simplesamlphp and i am using version 1.15.4.
The only thing that matters for SAML is that the URLs match, i.e.,
that the IDP has the same URL on record (in the metadata it has for
the SP) that the SP itself asks the IDP to use.
If the SP asks for a wrong URL then you'll have to change what the SP
asks for.
If the SP asks for the correct URL but the IDP fails to verify it then
you'll have to thange the metadata the IDP has describing the SP.
-peter
> Reply url in the authentication request is:
> http://test.pxxxxx.dxxxxl/test_xxxx/sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp
What is a "Reply url"? You mean the AssertionConsumerService Location
> http://test.pxxxxx.dxxxxl/test_xxxx/sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp
of the SAML SP where the IDP should send the response to?
Well, if the SP requests that then the IDP must verify location
(e.g. using metadata the IDP has describing the SP) and if it's OK the
IDP will send the response there.
> Reply url (Redirect URI) registered in the Application is:
> https://pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/reply
Registered in what application? How?
The only "Redirect URI" I can think of is the IDP's SSO protocol
endpoint, i.e., where the SP should send an authentication request
to. But that has nothing to do with where the SP would *receive*
responses.
> May I change the Reply url in the authentication request path to the
> format like below??
> since i cannot find the method or the way to edit the reply url in
> use of simplesamlphp and i am using version 1.15.4.
that the IDP has the same URL on record (in the metadata it has for
the SP) that the SP itself asks the IDP to use.
If the SP asks for a wrong URL then you'll have to change what the SP
asks for.
If the SP asks for the correct URL but the IDP fails to verify it then
you'll have to thange the metadata the IDP has describing the SP.
-peter
Hon Hei Hui
Mar 5, 2021, 11:12:02 AM3/5/21
to SimpleSAMLphp
Thanks for your reply and sorry for my bad expression,
For the "reply url", i think is a keyword in Azure sso , i think the meaning is same as the AssertionConsumerServiceURL in saml, so i think you are right.
For the "Reply url (Redirect URI) registered in the Application" is also same with "reply url" ,but it is the url which i have provide to Azure(the idp) to let them verify.
The difficult I am facing is : those of 2 url are not match and i want to change the url which I (sp) send to the Azure ( idp ) by simplesamlphp.
(I don`t want to change the reply url which is signed in idp).
How can i change the url which I send to idp by this format https://pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/reply ,
and my default format is like pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp
Thank you Peter, Sorry for my bad english. Sorry!!!!
Peter Schober
Mar 5, 2021, 12:04:40 PM3/5/21
to SimpleSAMLphp
* Hon Hei Hui <andyh...@gmail.com> [2021-03-05 17:12]:
> sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp
> <http://test.pxxxxx.dxxxxl/test_xxxx/sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp>
I still don't understand the issue but the answer remains the same:
You don't *change* any URLs -- you simply provide each end with
*correct* metadata (i.e., technical information, including
certificates and protocol endpoint locations) about the other party.
I.e., if you are the SAML SP all you need to do is add/have correct
metadata about the SAML IDP, as per The Fine Documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_2
Vice versa, if you are the SAML IDP you need to add/have correct
metadata about the SAML SP, as per The Fine Documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
-peter
> How can i change the url which I send to idp by this format
> https://pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/reply ,
> and my default format is like pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/
> <https://pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/reply>
> https://pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/reply ,
> and my default format is like pxxxxl-dxx-axxxx.pxxxxx.com/sso/azure-asml/
> sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp
> <http://test.pxxxxx.dxxxxl/test_xxxx/sso-xxxxx/www/module.php/saml/sp/saml2-acs.php/default-sp>
I still don't understand the issue but the answer remains the same:
You don't *change* any URLs -- you simply provide each end with
*correct* metadata (i.e., technical information, including
certificates and protocol endpoint locations) about the other party.
I.e., if you are the SAML SP all you need to do is add/have correct
metadata about the SAML IDP, as per The Fine Documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_2
Vice versa, if you are the SAML IDP you need to add/have correct
metadata about the SAML SP, as per The Fine Documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
-peter
Hon Hei Hui
Mar 5, 2021, 12:24:10 PM3/5/21
to SimpleSAMLphp
Thank you for your patience, Peter. thank you for your reply.
For my situation, my question is :Are here anyway to l customize the AssertionConsumerServiceURL(in SAMLPRESPONSE) which I send to the IDP(azure) by the simplesamlphp?)
Thank you again peter!
Peter Schober
Mar 5, 2021, 12:32:58 PM3/5/21
to SimpleSAMLphp
* Hon Hei Hui <andyh...@gmail.com> [2021-03-05 18:24]:
You *only* need correct metadata on both side. Then there is nothing
to change.
As an SP SimpleSAMLphp will auto-generate the ACS URL based on the
host's name (or based on your value of 'baseurlpath' in
config/config.php). That's the URL SSP will listen for the SAML
response and so that's the URL that will be put into any SAML
authentication requests generated by that SP.
I don't see how that could be "wrong", it's generated by the software
to be "right".
So maybe you don't need to change what SSP generates (because that
should be correct) but instead tell the IDP what the correct ACS URL
for your SP is, by (you already guessed it) providing the IDP with
*correct* *metadata* about your SAML SP.
-peter
> Thank you for your patience, Peter. thank you for your reply.
> For my situation, my question is :Are here anyway to l customize the
> AssertionConsumerServiceURL(in SAMLPRESPONSE) which I send to the
> IDP(azure) by the simplesamlphp?)
And the answer remains the same (I don't know how else to say this):
> For my situation, my question is :Are here anyway to l customize the
> AssertionConsumerServiceURL(in SAMLPRESPONSE) which I send to the
> IDP(azure) by the simplesamlphp?)
You *only* need correct metadata on both side. Then there is nothing
to change.
As an SP SimpleSAMLphp will auto-generate the ACS URL based on the
host's name (or based on your value of 'baseurlpath' in
config/config.php). That's the URL SSP will listen for the SAML
response and so that's the URL that will be put into any SAML
authentication requests generated by that SP.
I don't see how that could be "wrong", it's generated by the software
to be "right".
So maybe you don't need to change what SSP generates (because that
should be correct) but instead tell the IDP what the correct ACS URL
for your SP is, by (you already guessed it) providing the IDP with
*correct* *metadata* about your SAML SP.
-peter
Hon Hei Hui
Mar 5, 2021, 12:46:12 PM3/5/21
to SimpleSAMLphp
Thanks Peter!
Thanks for your answer i think i should better follow your instruction to change the ACS URL setting in IDP
than I change the SP responses ACS URL (since the SP SimpleSAMLphp will auto-generate ? and it is difficult to customize by myself. AM I right??)
Thank you again! Peter
thanks a lot !!!!
Hon Hei Hui
Mar 5, 2021, 12:55:26 PM3/5/21
to SimpleSAMLphp
Additional:
And i am not saying which one is right or wrong. SInce the IDP account is handled by the other company and it is the holiday of their company. so it is difficult to change the ACS URL of IDP setting. So i am thinking to customize the ACS URL by myself(SP) to let the ACS URL be match with the one IN (IDP) to verify the request.After your reply i think i am better to wait until the the holiday end and change the IDP ACS URL setting. Thank you peter.
Sorry for wasting your valuable time! thanks Peter!
Peter Schober
Mar 5, 2021, 1:33:48 PM3/5/21
to SimpleSAMLphp
* Hon Hei Hui <andyh...@gmail.com> [2021-03-05 18:55]:
wants to receive SAML responses. This is not the IDP's choice.
The IDP merely needs to know it and configure it.
> After your reply i think i am better to wait until the the holiday
> end and change the IDP ACS URL setting.
I wasn't aware of your time-sensitive needs but either way I wouldn't
know how to make SSP accept SAML responses on arbitray URLs (so that
your software can be changed to match what other systems have
configured about your software -- you realise how "backwards this
is?).
-peter
> And i am not saying which one is right or wrong. SInce the IDP
> account is handled by the other company and it is the holiday of
> their company. so it is difficult to change the ACS URL of IDP
> setting. So i am thinking to customize the ACS URL by myself(SP) to
> let the ACS URL be match with the one IN (IDP) to verify the
> request.
I understand. But the ACS URL is the protcol location where your SP
> account is handled by the other company and it is the holiday of
> their company. so it is difficult to change the ACS URL of IDP
> setting. So i am thinking to customize the ACS URL by myself(SP) to
> let the ACS URL be match with the one IN (IDP) to verify the
> request.
wants to receive SAML responses. This is not the IDP's choice.
The IDP merely needs to know it and configure it.
> After your reply i think i am better to wait until the the holiday
> end and change the IDP ACS URL setting.
know how to make SSP accept SAML responses on arbitray URLs (so that
your software can be changed to match what other systems have
configured about your software -- you realise how "backwards this
is?).
-peter
Reply all
Reply to author
Forward
0 new messages