Problem trying to integrate simplesaml into Horde

[Miguel Cabeça]

Hi,

I'm trying to build a solution to the n-Tier problem of webmail (and other web applications that use a backend server). In the process I hit a wall in trying to integrate simplesaml in Horde[1].

I've configured an SP authentication source that works as expected with a test script:

<?php
require_once('/var/www/saml/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('sp-webmail');
$as->requireAuth();
$attributes = $as->getAttributes();
print_r($attributes);
?>

outputs:

Array
(
[uid] => Array
(
[0] => ist24421
)

[servicetoken] => Array
(
[0] => U2FsdGVkX1//iCQ+8/ub4QbmhqJIXbncppqgCQ8bXyo=
)
)

and log file (in debug mode) as expected:

Feb 19 12:08:48 storker simplesamlphp[23400]: 7 [48cc575630] Library - Session: Check if session is valid. checkauthority:sp-webmail thisauthority:null isauthenticated:no remainingtime:-1266552528
Feb 19 12:08:48 storker simplesamlphp[23400]: 7 [48cc575630] Saved state: '_850cae6f161797616737590961e52756cb9d7e2556'
Feb 19 12:08:50 storker simplesamlphp[23400]: 7 [48cc575630] Loading state: '_850cae6f161797616737590961e52756cb9d7e2556'
Feb 19 12:08:50 storker simplesamlphp[23400]: 7 [48cc575630] Found 1 certificates in SAML2_Assertion
Feb 19 12:08:50 storker simplesamlphp[23400]: 7 [48cc575630] Filter config for https://id.ist.utl.pt/saml-testing->https://storker.ist.utl.pt/saml: array ()
Feb 19 12:08:50 storker simplesamlphp[23400]: 7 [48cc575630] Deleting state: '_850cae6f161797616737590961e52756cb9d7e2556'
Feb 19 12:08:50 storker simplesamlphp[23400]: 7 [48cc575630] Session: doLogin("sp-webmail")
Feb 19 12:08:50 storker simplesamlphp[23400]: 7 [48cc575630] Library - Session: Set IdP to : https://id.ist.utl.pt/saml-testing
Feb 19 12:08:50 storker simplesamlphp[23400]: 7 [48cc575630] Library - Session: Check if session is valid. checkauthority:sp-webmail thisauthority:sp-webmail isauthenticated:yes remainingtime:28800

Now, when I try to use the same authentication source from an Auth driver I wrote for Horde, something different happens on the SP's acs:

State information lost, and no way to restart the request.
0: /var/www/saml/lib/SimpleSAML/Auth/State.php:158 (SimpleSAML_Auth_State::loadState)
1: /var/www/saml/modules/saml/www/sp/saml2-acs.php:19 (require)
2: /var/www/saml/www/module.php:135 (N/A)

and the log file shows:

Feb 19 12:15:47 storker simplesamlphp[23394]: 7 [5a0f9b46ea] Library - Session: Check if session is valid. checkauthority:sp-webmail thisauthority:null isauthenticated:no remainingtime:-1266552947
Feb 19 12:15:47 storker simplesamlphp[23394]: 7 [5a0f9b46ea] Saved state: '_ed46efdfe7d95df76542f3dfe3d60c68e84a817bfe'
Feb 19 12:16:54 storker simplesamlphp[23391]: 7 [2bf8f3f939] Loading state: '_ed46efdfe7d95df76542f3dfe3d60c68e84a817bfe'
Feb 19 12:16:54 storker simplesamlphp[23391]: 3 [2bf8f3f939] /saml/module.php/saml/sp/saml2-acs.php/sp-webmail - UserError: ErrCode:UNHANDLEDEXCEPTION: State+information+lost%2C+and+no+way+to+restart+the+request.
Feb 19 12:16:54 storker simplesamlphp[23391]: 3 [2bf8f3f939] Exception: Exception
Feb 19 12:16:54 storker simplesamlphp[23391]: 3 [2bf8f3f939] Backtrace:
Feb 19 12:16:54 storker simplesamlphp[23391]: 3 [2bf8f3f939] 0: /var/www/saml/lib/SimpleSAML/Auth/State.php:158 (SimpleSAML_Auth_State::loadState)
Feb 19 12:16:54 storker simplesamlphp[23391]: 3 [2bf8f3f939] 1: /var/www/saml/modules/saml/www/sp/saml2-acs.php:19 (require)
Feb 19 12:16:54 storker simplesamlphp[23391]: 3 [2bf8f3f939] 2: /var/www/saml/www/module.php:135 (N/A)
Feb 19 12:16:54 storker simplesamlphp[23391]: 3 [2bf8f3f939]

All SAML messages are the same (i've double checked with both SP and IDP in debug mode), but the behaviour is different.
My question is: what can cause the state to be lost in simplesaml SP at this point (.../module.php/saml/sp/saml2-acs.php/sp-webmail)?

Best Regards

Miguel Cabeça

[1] http://www.horde.org/

[Peter Schober]

* Miguel Cabe�a <cab...@ist.utl.pt> [2010-02-19 13:28]:

> I'm trying to build a solution to the n-Tier problem of webmail (and
> other web applications that use a backend server).

Out of curiosity: how will you authenticate to the IMAP daemon?
I've listed a few (most?) known ways/hacks to do this at
https://aai-wiki.univie.ac.at/Applikationen/Webmail
(the page's content itself is in english)

Drop me a line if you'd like to add something to this list.
-peter

[Olav Morken]

On Fri, Feb 19, 2010 at 12:28:35 +0000, Miguel Cabe�a wrote:
[...]

> Feb 19 12:15:47 storker simplesamlphp[23394]: 7 [5a0f9b46ea] Saved state: '_ed46efdfe7d95df76542f3dfe3d60c68e84a817bfe'
> Feb 19 12:16:54 storker simplesamlphp[23391]: 7 [2bf8f3f939] Loading state: '_ed46efdfe7d95df76542f3dfe3d60c68e84a817bfe'

[...]

> All SAML messages are the same (i've double checked with both SP and IDP in debug mode), but the behaviour is different.
> My question is: what can cause the state to be lost in simplesaml SP at this point (.../module.php/saml/sp/saml2-acs.php/sp-webmail)?

For some reason you have two different sessions between where the state
is saved and where it is loaded (the session "trackid" has changed from
"5a0f9b46ea" to "2bf8f3f939").

This can have a number of causes, amongst others:
- Domain of the web site has changed, e.g. if you start from http://a/,
but is returned by the IdP to http://a.example.org/
- Different PHP session settings in your web application and in
simpleSAMLphp, e.g. if Horde sets session_name[1] to 'Horde', while
simpleSAMLphp uses 'PHPSESSION'.
- https vs. http: By default, simpleSAMLphp version 1.5.1 will create
cookies with the secure flag if it is accessed over https. If you
first access the site over https and then http, you will end up with
two different sessions. This only happens if you start at https - if
you start at http, only a non-secure cookie will be created, and it
will be shared between http and https. (Note: this behaviour has been
changed in subversion. It will now only create non-secure cookies by
default, and must be configured to create secure cookies.)

[1] http://php.net/manual/en/function.session-name.php

--
Olav Morken
UNINETT / Feide

[Miguel Cabeça]

Hi,

> - Different PHP session settings in your web application and in
> simpleSAMLphp, e.g. if Horde sets session_name[1] to 'Horde', while
> simpleSAMLphp uses 'PHPSESSION'.

This was the culprit. Unfortunately the Horde/IMP combination is a hell of redirects and sessions/cookies, and the task is proving more difficult than it should :-(
Thank you very much for you help in finding this.

Best Regards
Miguel Cabeça

[Miguel Cabeça]

Peter,

> Out of curiosity: how will you authenticate to the IMAP daemon?
> I've listed a few (most?) known ways/hacks to do this at
> https://aai-wiki.univie.ac.at/Applikationen/Webmail
> (the page's content itself is in english)

An attribute named servicetoken generated at the IdP will carry a temporary encrypted token that will be validated by a pam_servicetoken PAM module. The IMAP server will be configured to use this PAM module.

It's like the Encrypted service-password in your page, but individualized for each user.

Best Regards
Miguel Cabeça

[Peter Schober]

* Miguel Cabe�a <cab...@ist.utl.pt> [2010-02-19 20:07]:

> An attribute named servicetoken generated at the IdP will carry a
> temporary encrypted token that will be validated by a
> pam_servicetoken PAM module. The IMAP server will be configured to
> use this PAM module.

Thanks, didn't know about pam_servicetoken.

> It's like the Encrypted service-password in your page, but
> individualized for each user.

Jfyi, this was meant to be individualized for each user (each user
get's its own value).

cheers,
-peter

[Miguel Cabeça]

Peter,

>> An attribute named servicetoken generated at the IdP will carry a
>> temporary encrypted token that will be validated by a
>> pam_servicetoken PAM module. The IMAP server will be configured to
>> use this PAM module.
>
> Thanks, didn't know about pam_servicetoken.

It doesn't exist yet :-) It's the next piece of the puzzle in my development effort.

Best Regards
Miguel Cabeça