"Invalid authentication source: saml" from Moodle's SAML plugin
1,478 views
Skip to first unread message
Tim van Steenbergen
Sep 18, 2013, 6:54:45 AM9/18/13
to simple...@googlegroups.com
Hi,
Has anyone experience in single-sign-on (SSO) from (RelyingParty) Moodle using SAML via simplesamlphp via (SP) windowsAzures ACS to any (idP) idprovider?
I have Moodle running on localhost, simplesamlphp running on another site (localhost:81/simplesaml), plugged-in SAML in Moodle and set the SAML-plugin-setting for "SimpleSAMLPHP Library path:" to it's /lib: "C:\\xampp\htdocs\simplesamlphp-1.11.0\lib"
Also I have Windows Azure's ACS: tiekas.
Now I should be able to define an authentication source in simplesamlphp's config in file /config/authsource.php where I can modify
$config = array('default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' =><what ID do I need to enter here for windosAzure's ACS ?>
and what other key values?
And also: is this a correct way to use simplesamlphp?
Tim van Steenbergen
Peter Schober
Sep 18, 2013, 7:29:51 AM9/18/13
to simple...@googlegroups.com
* Tim van Steenbergen <tim...@gmail.com> [2013-09-18 12:56]:
agent, reducing the number of times you need to explicitly supply your
credentials.
No idea what that winblows ACS stuff is.
> I have Moodle running on localhost, simplesamlphp running on another site
> (localhost:81/simplesaml)
Why not have simpleSAMLphp in the same webserver?
> Also I have Windows Azure's ACS: tiekas.
No idea what that means.
> Now I should be able to define an authentication source in simplesamlphp's
> config in file /config/authsource.php where I can modify
>
> *$config = array('default-sp' => array(*
> * 'saml:SP',*
> * // The entity ID of this SP.*
> * // Can be NULL/unset, in which case an entity ID is generated
> based on the metadata<https://moodle.org/mod/glossary/showentry.php?courseid=5&eid=184&displayformat=dictionary>
> URL<https://moodle.org/mod/glossary/showentry.php?courseid=5&eid=31&displayformat=dictionary>
> .*
> * 'entityID' =>**<what ID do I need to enter here for windosAzure's
> ACS ?>*
This list is for SimpleSAMLphp questions. Ask the vendor of that service.
-peter
> Has anyone experience in single-sign-on (SSO) from (RelyingParty) Moodle
> using SAML via simplesamlphp via (SP) windowsAzures ACS to any (idP)
> idprovider?
WebSSO is only a function between a single IDP and a single HTTP user
> using SAML via simplesamlphp via (SP) windowsAzures ACS to any (idP)
> idprovider?
agent, reducing the number of times you need to explicitly supply your
credentials.
No idea what that winblows ACS stuff is.
> I have Moodle running on localhost, simplesamlphp running on another site
> (localhost:81/simplesaml)
> Also I have Windows Azure's ACS: tiekas.
> Now I should be able to define an authentication source in simplesamlphp's
> config in file /config/authsource.php where I can modify
>
> * 'saml:SP',*
> * // The entity ID of this SP.*
> * // Can be NULL/unset, in which case an entity ID is generated
> based on the metadata<https://moodle.org/mod/glossary/showentry.php?courseid=5&eid=184&displayformat=dictionary>
> URL<https://moodle.org/mod/glossary/showentry.php?courseid=5&eid=31&displayformat=dictionary>
> .*
> * 'entityID' =>**<what ID do I need to enter here for windosAzure's
> ACS ?>*
This list is for SimpleSAMLphp questions. Ask the vendor of that service.
-peter
Tim van Steenbergen
Sep 18, 2013, 9:10:17 AM9/18/13
to simple...@googlegroups.com, peter....@univie.ac.at
Hi Peter,
Ah, another Windows-lover :-) I know, it is not all good but my customer has implemented Windows ACS: AccessControlService. So that is the SP of choice that I work with. Connecting Moodle to that SP is done via the Moodleplug-in SAML which relies on (read: uses the library of) simpleSAMLphp to get to the SP.
Meanwhile, I found that there is a testfunction "Test authentication sources" in simpleSAMLphp. GREAT!! Loving the tool. With that I have succeeded in getting simpleSAMLphp to address WindowsACS!! How?
in /config/authsource.php I put
'saml' => array(
'saml:SP',
'idp' => "WindowsLiveID",
in metadata/saml20-idp-remote.php I put:
$metadata['WindowsLiveID'] = array(
'name' => array(
'en' => 'Windows Live ID',
),
'description' => 'Here you can login with your Windows Live account.',
'SingleSignOnService' => 'https://tiekas.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2fmoodlehost.net%2f',
Ok! Now that is the answer to my question.
Tested it from the login-page and got a lot further:
- clicked in Moodle on SSO-button
- it got to simpleSAMLphp
- forwarded to WindowsACS;
- received credentials from windows Live ID (also tried it with Google, just as good)
- got back to Moodle.
Unfortunately it got rejected there and routed back to the Windows Live login. Hmm One last hurdle to take. But that is a different story. Will open a different post if I can't solve that.
Thanks and best regards,
Tim van Steenbergen
Op woensdag 18 september 2013 13:29:51 UTC+2 schreef Peter Schober:
Ah, another Windows-lover :-) I know, it is not all good but my customer has implemented Windows ACS: AccessControlService. So that is the SP of choice that I work with. Connecting Moodle to that SP is done via the Moodleplug-in SAML which relies on (read: uses the library of) simpleSAMLphp to get to the SP.
Meanwhile, I found that there is a testfunction "Test authentication sources" in simpleSAMLphp. GREAT!! Loving the tool. With that I have succeeded in getting simpleSAMLphp to address WindowsACS!! How?
in /config/authsource.php I put
'saml' => array(
'saml:SP',
'idp' => "WindowsLiveID",
in metadata/saml20-idp-remote.php I put:
$metadata['WindowsLiveID'] = array(
'name' => array(
'en' => 'Windows Live ID',
),
'description' => 'Here you can login with your Windows Live account.',
'SingleSignOnService' => 'https://tiekas.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=http%3a%2f%2fmoodlehost.net%2f',
Ok! Now that is the answer to my question.
Tested it from the login-page and got a lot further:
- clicked in Moodle on SSO-button
- it got to simpleSAMLphp
- forwarded to WindowsACS;
- received credentials from windows Live ID (also tried it with Google, just as good)
- got back to Moodle.
Unfortunately it got rejected there and routed back to the Windows Live login. Hmm One last hurdle to take. But that is a different story. Will open a different post if I can't solve that.
Thanks and best regards,
Tim van Steenbergen
Op woensdag 18 september 2013 13:29:51 UTC+2 schreef Peter Schober:
* Tim van Steenbergen <tim...@gmail.com> [2013-09-18 12:56]:
> Has anyone experience in single-sign-on (SSO) from (RelyingParty) Moodle
> using SAML via simplesamlphp via (SP) windowsAzures ACS to any (idP)
> idprovider?
WebSSO is only a function between a single IDP and a single HTTP user
agent, reducing the number of times you need to explicitly supply your
credentials.
Yep. Or even multiple IDP's.
No idea what that winblows ACS stuff is.
> I have Moodle running on localhost, simplesamlphp running on another site
> (localhost:81/simplesaml)
Why not have simpleSAMLphp in the same webserver?
Cause Moodle installed as a nice stand-alone package and XAMPP. SimpleSAMLphp was faster implemented on another XAMPP. Looked ok at the time. Does not really matter for my question because Moodle's SAML only uses the library of simpleSAMLphp, NOT the simpleSAMLphp as a running application.
> Also I have Windows Azure's ACS: tiekas.
No idea what that means.
To complete my sentence: "Also I have Windows Azure's ACS:
tiekas.accesscontrol.windows.net" which is my own testenvironment.
> Now I should be able to define an authentication source in simplesamlphp's
> config in file /config/authsource.php where I can modify
>
> *$config = array('default-sp' => array(*
> * 'saml:SP',*
> * // The entity ID of this SP.*
> * // Can be NULL/unset, in which case an entity ID is generated
> based on the metadata<https://moodle.org/mod/glossary/showentry.php?courseid=5&eid=184&displayformat=dictionary>
> URL<https://moodle.org/mod/glossary/showentry.php?courseid=5&eid=31&displayformat=dictionary>
> .*
> * 'entityID' =>**<what ID do I need to enter here for windosAzure's
> ACS ?>*
This list is for SimpleSAMLphp questions. Ask the vendor of that service.
Will also do, but I think this is also a valid question for a group like this since this concerns both windows ACS and simpleSAMLphp.
-peter
Peter Schober
Sep 18, 2013, 9:27:55 AM9/18/13
to simple...@googlegroups.com
* Tim van Steenbergen <tim...@gmail.com> [2013-09-18 15:10]:
SP. OK, both are SPs, who's the IDP then (and using what protocol)?
Never mind, seeing that you've solved this already.
> Tested it from the login-page and got a lot further:
> - clicked in Moodle on SSO-button
> - it got to simpleSAMLphp
> - forwarded to WindowsACS;
> - received credentials from windows Live ID (also tried it with Google,
> just as good)
> - got back to Moodle.
>
> Unfortunately it got rejected there and routed back to the Windows Live
> login. Hmm One last hurdle to take. But that is a different story. Will
> open a different post if I can't solve that.
You've lost me there anyway ;)
Good luck,
-peter
> I know, it is not all good but my customer has implemented Windows
> ACS: AccessControlService. So that is the SP of choice that I work
> with. Connecting Moodle to that SP is done via the Moodleplug-in
> SAML which relies on (read: uses the library of) simpleSAMLphp to
> get to the SP.
Hm. I thought Moodle will be the/a SAML SP, and now that ACS is the
> ACS: AccessControlService. So that is the SP of choice that I work
> with. Connecting Moodle to that SP is done via the Moodleplug-in
> SAML which relies on (read: uses the library of) simpleSAMLphp to
> get to the SP.
SP. OK, both are SPs, who's the IDP then (and using what protocol)?
Never mind, seeing that you've solved this already.
> Tested it from the login-page and got a lot further:
> - clicked in Moodle on SSO-button
> - it got to simpleSAMLphp
> - forwarded to WindowsACS;
> - received credentials from windows Live ID (also tried it with Google,
> just as good)
> - got back to Moodle.
>
> Unfortunately it got rejected there and routed back to the Windows Live
> login. Hmm One last hurdle to take. But that is a different story. Will
> open a different post if I can't solve that.
Good luck,
-peter
Tim van Steenbergen
Sep 18, 2013, 9:59:22 AM9/18/13
to simple...@googlegroups.com, peter....@univie.ac.at
Hi Peter,
Just for entertainment and future reference some explanation about my configuration:
RP: - Moodle (including the library from simpleSAMLphp and the Moodle's SAML-plugin) are the Relying Party (RP)
SP: - Windows ACS is the Service Provider (SP), in this case simpleSAMLphp's SP functions are not used at all;
IDP: - Windows Live is the Identity Provider (IDP), but is replacable by any other like Google or Yahoo or Windows Active Driectory. Done within Windows ACS, so not my problem :-)
Best regards,
Tim
Op woensdag 18 september 2013 15:27:55 UTC+2 schreef Peter Schober:
Just for entertainment and future reference some explanation about my configuration:
RP: - Moodle (including the library from simpleSAMLphp and the Moodle's SAML-plugin) are the Relying Party (RP)
SP: - Windows ACS is the Service Provider (SP), in this case simpleSAMLphp's SP functions are not used at all;
IDP: - Windows Live is the Identity Provider (IDP), but is replacable by any other like Google or Yahoo or Windows Active Driectory. Done within Windows ACS, so not my problem :-)
Best regards,
Tim
Op woensdag 18 september 2013 15:27:55 UTC+2 schreef Peter Schober:
trekd...@gmail.com
Oct 16, 2013, 5:25:53 PM10/16/13
to simple...@googlegroups.com, peter....@univie.ac.at
I too am trying to get this to work and am a little put off by the fact that I cannot seem to import simplesamlphp metadata into Windows Azure ACS. I receive: "ACS20010: No application service descriptors found." during the relying party configuration. I can't seem to parse the federation data published by ACS either. Any thoughts? Maybe you have witnessed this behavior as well Tim?
My configuration: [Moodle 2.5 (SAML PLUGIN)] <--> [SimpleSAMLphp] <--> [Windows Azure ACS] <--> [Windows Azure AD] + [anything else Azure ACS could transform such as FaceBook or Google IDPs]
Jeff
My configuration: [Moodle 2.5 (SAML PLUGIN)] <--> [SimpleSAMLphp] <--> [Windows Azure ACS] <--> [Windows Azure AD] + [anything else Azure ACS could transform such as FaceBook or Google IDPs]
Jeff
Peter Schober
Oct 16, 2013, 7:27:38 PM10/16/13
to simple...@googlegroups.com
* trekd...@gmail.com <trekd...@gmail.com> [2013-10-16 23:26]:
internal representation as well as a JSON representation for discovery
services, none of which is relevant here).
There only is SAML 2.0 metadata which either is correct (schema valid
plus other semantic requirements) or not, most of which can be checked
with external tools.
> I receive: "ACS20010: No application service descriptors found." during the
> relying party configuration. I can't seem to parse the federation data
> published by ACS either.
The former is not for this list to debug and the latter is not a
technical error description -- what advise do you expect specifically
for "can't seem to parse"? Where is that metadata, how does it look
like, how did you try to parse it, what was the error message, etc.
> My configuration: [Moodle 2.5 (SAML PLUGIN)] <--> [SimpleSAMLphp] <-->
> [Windows Azure ACS] <--> [Windows Azure AD] + [anything else Azure ACS
> could transform such as FaceBook or Google IDPs]
As far as SSP (and this list) is concerned, any communication with SSP
using the SAML protocol is from software acting as a SAML IdP or SAML
SP. Here the Moodle plugin is the SAML SP, so whatever exchanges
protocol messages with that is acting as a SAML IdP (and needs to do
so according to the specification). None of the rest matters here.
-peter
> I too am trying to get this to work and am a little put off by the fact
> that I cannot seem to import simplesamlphp metadata into Windows Azure ACS.
There's no such thing as "simplesamlphp metadata" for interop (only as
> that I cannot seem to import simplesamlphp metadata into Windows Azure ACS.
internal representation as well as a JSON representation for discovery
services, none of which is relevant here).
There only is SAML 2.0 metadata which either is correct (schema valid
plus other semantic requirements) or not, most of which can be checked
with external tools.
> I receive: "ACS20010: No application service descriptors found." during the
> relying party configuration. I can't seem to parse the federation data
> published by ACS either.
technical error description -- what advise do you expect specifically
for "can't seem to parse"? Where is that metadata, how does it look
like, how did you try to parse it, what was the error message, etc.
> My configuration: [Moodle 2.5 (SAML PLUGIN)] <--> [SimpleSAMLphp] <-->
> [Windows Azure ACS] <--> [Windows Azure AD] + [anything else Azure ACS
> could transform such as FaceBook or Google IDPs]
using the SAML protocol is from software acting as a SAML IdP or SAML
SP. Here the Moodle plugin is the SAML SP, so whatever exchanges
protocol messages with that is acting as a SAML IdP (and needs to do
so according to the specification). None of the rest matters here.
-peter
trekd...@gmail.com
Oct 17, 2013, 9:21:12 AM10/17/13
to simple...@googlegroups.com, peter....@univie.ac.at
What I'm referring to by stating "can't seem to parse" is the built in metadata parsing utility of simpleSAMLphp. When I insert the metadata provided by my Windows Azure ACS namespace (FederationMetadata.xml), instead of receiving an error or some outcome, it just sits there or shifts slightly. I'm familiar with this utility outputting a modified copy that I can insert into a saml20-idp-remote metadata file to define the IDP.
> The former is not for this list to debug and the latter is not a
> technical error description -- what advise do you expect specifically
> for "can't seem to parse"? Where is that metadata, how does it look
> like, how did you try to parse it, what was the error message, etc.
I did not ask you to debug the ACS20010 error but sometimes it helps to provide some additional information.
> As far as SSP (and this list) is concerned, any communication with SSP
> using the SAML protocol is from software acting as a SAML IdP or SAML
> SP. Here the Moodle plugin is the SAML SP, so whatever exchanges
> protocol messages with that is acting as a SAML IdP (and needs to do
> so according to the specification). None of the rest matters here.
I argued otherwise?
Jeff
Jeff
Message has been deleted
Peter Schober
Oct 17, 2013, 9:45:22 AM10/17/13
to simple...@googlegroups.com
* trekd...@gmail.com <trekd...@gmail.com> [2013-10-17 15:21]:
> *slightly. I'm familiar with this utility outputting a modified copy that I
it? If not, is there something after you increase the log level?
Did you use the web interface (admin/metadata-converter.php) for
converting the XML or something else? Have you tried using metarefresh.php?
$ simplesamlphp/modules/metarefresh/bin/metarefresh.php --help
Did you verify the SAML metadata you recieved somehow
(wellformedness, schema validity)?
> > The former is not for this list to debug and the latter is not a
> > technical error description -- what advise do you expect specifically
> > for "can't seem to parse"? Where is that metadata, how does it look
> > like, how did you try to parse it, what was the error message, etc.
>
> I did not ask you to debug the ACS20010 error but sometimes it helps
> to provide some additional information.
I was trying to handle expectations. This project does hardly have the
resources to support its own software, let alone anything else anyone
might want it to interop with.
-peter
> What I'm referring to by stating "can't seem to parse" is the built in
> metadata parsing utility of simpleSAMLphp. When I insert the metadata
> provided by my Windows Azure ACS namespace (FederationMetadata.xml),
> instead of receiving an error or some outcome, it just sits there or *shifts
> metadata parsing utility of simpleSAMLphp. When I insert the metadata
> provided by my Windows Azure ACS namespace (FederationMetadata.xml),
> *slightly. I'm familiar with this utility outputting a modified copy that I
> can insert into a saml20-idp-remote metadata file to define the IDP.
Did you look at SSP's logfile and if so, is there something written to
it? If not, is there something after you increase the log level?
Did you use the web interface (admin/metadata-converter.php) for
converting the XML or something else? Have you tried using metarefresh.php?
$ simplesamlphp/modules/metarefresh/bin/metarefresh.php --help
Did you verify the SAML metadata you recieved somehow
(wellformedness, schema validity)?
> > The former is not for this list to debug and the latter is not a
> > technical error description -- what advise do you expect specifically
> > for "can't seem to parse"? Where is that metadata, how does it look
> > like, how did you try to parse it, what was the error message, etc.
>
> I did not ask you to debug the ACS20010 error but sometimes it helps
> to provide some additional information.
resources to support its own software, let alone anything else anyone
might want it to interop with.
-peter
trekd...@gmail.com
Oct 17, 2013, 9:46:13 AM10/17/13
to simple...@googlegroups.com, peter....@univie.ac.at
SimpleSAMLphp can however parse the Windows Azure AD application endpoint metadata just fine. Result:
$metadata['https://sts.windows.net/UID/'] = array ( 'entityid' => 'https://sts.windows.net/UID/', 'contacts' => array ( ), 'metadata-set' => 'saml20-idp-remote', 'SingleSignOnService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://login.windows.net/UID/saml2', ), ), 'SingleLogoutService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://login.windows.net/UID/saml2', ), ), 'ArtifactResolutionService' => array ( ), 'keys' => array ( 0 => array ( 'encryption' => false, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => 'x509 removed' ), ), );
trekd...@gmail.com
Oct 17, 2013, 9:49:46 AM10/17/13
to simple...@googlegroups.com, peter....@univie.ac.at
Peter,
> Did you look at SSP's logfile and if so, is there something written to
> it? If not, is there something after you increase the log level?
> Did you use the web interface (admin/metadata-converter.php) for
> converting the XML or something else? Have you tried using metarefresh.php?
> $ simplesamlphp/modules/
> metarefresh/bin/metarefresh.php --help
> Did you verify the SAML metadata you recieved somehow
> (wellformedness, schema validity)?
> Did you verify the SAML metadata you recieved somehow
> (wellformedness, schema validity)?
I didn't know the parser logged. I'll take a look. Thanks
> I was trying to handle expectations. This project does hardly have the
> resources to support its own software, let alone anything else anyone
> might want it to interop with.
I completely understand.
Jeff
Jeff
trekd...@gmail.com
Oct 17, 2013, 9:59:07 AM10/17/13
to simple...@googlegroups.com, peter....@univie.ac.at
My previous post:
> SimpleSAMLphp can however parse the Windows Azure AD application endpoint metadata just fine. Result:
> (metadata)
Was inaccurate. This is metadata that only pertains to Windows Azure AD, not ACS.
Was inaccurate. This is metadata that only pertains to Windows Azure AD, not ACS.
Reply all
Reply to author
Forward
0 new messages