Pass the entityID as a parameter in url of authentication requests

262 views

Skip to first unread message

Robin Keith

unread,

Jun 29, 2010, 3:54:06 AM6/29/10

to simpleSAMLphp

Hi,
Is it possible to get SimpleSAML SP to pass the entity Id as a
parameter (called entityID) in the url of an authentication request
passed to an IdP?
I'm using the OpenAthens IdP, and it looks like it is trying to
extract the entityID when it processes the message. Looks like is ok
with the entityId missing from basic SAML2 message, but then tries to
parse a Shibboleth message from the request and runs into problems.

Alternatively, how do you specify that a request is SAML only, or pass
some shibboleth entries?

Couple of general questions:
My sp urls look like: module.php/saml/sp/ I noticed there is also a
SAML2 module. Is that defunct, and the saml module used instead now?
Do I need 'enable.saml20-sp' => true, in my config.php to enable the
SP features. The documentation has it some places but not others
I'm using simpleSamlphp 1.6.1

I'm fairly new to all this, so any pointers would be appreciated.
Thanks,
Robin

Olav Morken

unread,

Jun 29, 2010, 6:48:25 AM6/29/10

to simple...@googlegroups.com

On Tue, Jun 29, 2010 at 00:54:06 -0700, Robin Keith wrote:
> Hi,
> Is it possible to get SimpleSAML SP to pass the entity Id as a
> parameter (called entityID) in the url of an authentication request
> passed to an IdP?

No, that isn't part of the standard for SAML 2 authentication requests.
Maybe you are using IdP inititated authentication, and therefore should
not be sending an authentication request to the IdP?

> I'm using the OpenAthens IdP, and it looks like it is trying to
> extract the entityID when it processes the message. Looks like is ok
> with the entityId missing from basic SAML2 message, but then tries to
> parse a Shibboleth message from the request and runs into problems.

simpleSAMLphp currently only supports the
'urn:mace:shibboleth:1.0:profiles:AuthnRequest'-binding for SAML 1
authentication. Apparently, OpenAthens uses a different "binding" for
its authentication requests.

Unfortunately, simpleSAMLphp does not currently support IdP initiated
authentication with the SAML 1-protocol[1], so you cannot bypass this
restriction.

> Alternatively, how do you specify that a request is SAML only, or pass
> some shibboleth entries?

simpleSAMLphp prefers SAML 2 over SAML 1, so if the IdP supports both
(as indicated by its metadata), it will use the SAML 2 protocol.

> Couple of general questions:
> My sp urls look like: module.php/saml/sp/ I noticed there is also a
> SAML2 module. Is that defunct, and the saml module used instead now?

The saml2-module (under modules/saml2/) was an experimental module. It
was replaced with the saml-module, which supports both SAML 1.1 and
SAML 2. I just committed some changes that moved what was used from the
saml2-module into the saml-module, and deleted the rest.

> Do I need 'enable.saml20-sp' => true, in my config.php to enable the
> SP features. The documentation has it some places but not others
> I'm using simpleSamlphp 1.6.1

That option is only needed for the old SP implementation (the one
located in www/saml2/sp). As long as you don't use that one, the option
is unnecessary.

[1] http://code.google.com/p/simplesamlphp/issues/detail?id=308

--
Olav Morken
UNINETT / Feide

Reply all

Reply to author

Forward

0 new messages