What is enable.saml20-idp' => true and how do I configure it?

445 views
Skip to first unread message

ljt...@gmail.com

unread,
May 2, 2017, 2:57:56 PM5/2/17
to SimpleSAMLphp
I'm following this instruction and on step 9, it talks about setting the enable.saml20-idp' to true. However, when I do, besides the SAML 2.0 SP Metadata under the Federation tab I also see the SAML 2.0 IdP Metadata option. But when I clicked on the Show Metadata, I got this error.

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_Error: METADATA
Backtrace:
0 /mnt/www/html/mywebdev/vendor/simplesamlphp/simplesamlphp/www/saml2/idp/metadata.php:222 (N/A)
Caused by: Exception: saml20-idp-hosted/'https://dev.www.mywebdev.edu/simplesaml/saml2/idp/metadata.php': Unable to load certificate/public key from file "/mnt/www/html/mywebdev/vendor/simplesamlphp/simplesamlphp/cert/server.crt".
Backtrace:
2 /mnt/www/html/mywebdev/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/Configuration.php:1246 (SimpleSAML_Configuration::getPublicKeys)
1 /mnt/www/html/mywebdev/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/Utils/Crypto.php:210 (SimpleSAML\Utils\Crypto::loadPublicKey)
0 /mnt/www/html/mywebdev/vendor/simplesamlphp/simplesamlphp/www/saml2/idp/metadata.php:41 (N/A)


How do I resolve this and what does this enable.saml20-idp set to true do? I set it to false and I was able I login fine but log out will error out as well as the roles automatic roles population is not working in Drupal. Again, not sure if these two issues are related to this option being true or false.

Peter Schober

unread,
May 3, 2017, 4:45:01 AM5/3/17
to SimpleSAMLphp
* ljt...@gmail.com <ljt...@gmail.com> [2017-05-02 20:58]:
> I'm following this instruction
> <http://valuebound.com/resources/blog/how-to-configure-single-sign-on-across-multiple-drupal-8-platforms-or-websites>
> and

Are you sure you need a SAML IDP? You've been posting lots of stuff
here recently all to do with getting SSO for one Drupal instance of
yours (as a SAML SP). Is that now solved and now you're moving on to
creating a SAML IDP as well?

> But when I clicked on the Show Metadata, I got this error.
[...]
> Unable to load certificate/public key from file
> "/mnt/www/html/mywebdev/vendor/simplesamlphp/simplesamlphp/cert/server.crt".

I means what it says. You didn't follow the documentation and did not
create that key pair as instructed.

> How do I resolve this and what does this enable.saml20-idp set to true do?
> I set it to false and I was able I login fine but log out will error out as
> well as the roles automatic roles population is not working in Drupal.
> Again, not sure if these two issues are related to this option being true
> or false.

It seems to me you have no idea what you're doing, or why you should
set up a SAML IDP. You're just blindly following arbitrary
documentation you've found on the Internet.
-peter

ljt...@gmail.com

unread,
May 3, 2017, 7:38:05 AM5/3/17
to SimpleSAMLphp, peter....@univie.ac.at
Pete, thanks for the response. And yes, setting simpleSAMLphp is very new to me. I'm gathering as much information/documentation as possible and try to see which works for me. No, I'm trying to setp a SSO with simpleSAMLphp. The reason I set the enable.saml20-idp to true per the how-to-configure-single-sign-on-across-multiple-drupal-8-platforms-or-websites instruction is because I couldn't get the roles to work and errors out when logging out. Okay, so if I'm only going to set up simpleSAMLphp SSO then I do not need to set the enable.saml20-idp to true, correct?

When you said I did not follow the documentation, I'm following too many documentations that's the problem. This is the main instruction that I initially followed but it does not seem to work; thus, I tried the how-to-configure-single-sign-on-across-multiple-drupal-8-platforms-or-websites documentation and various others. So, for setting up simpleSAMLphp SSO, what's the one documentation that I should follow?

Peter Schober

unread,
May 3, 2017, 7:55:19 AM5/3/17
to SimpleSAMLphp
* ljt...@gmail.com <ljt...@gmail.com> [2017-05-03 13:38]:
> So, for setting up simpleSAMLphp SSO, what's the one documentation
> that I should follow?

You were able to find this support forum but not the documentation?
Anway, to quote the first two steps from the third-party code you're
trying to use, at https://www.drupal.org/project/simplesamlphp_auth :

"Installation Overview
1. Install SimpleSAMLphp
https://simplesamlphp.org/docs/stable/simplesamlphp-install
2. Configure SimpleSAMLphp as a Service Provider
https://simplesamlphp.org/docs/stable/simplesamlphp-sp"

-peter

Chong Lor

unread,
May 3, 2017, 12:35:16 PM5/3/17
to SimpleSAMLphp
Again, the problem is not that I didn't find any documentation, I have found quite a lot but none of them seems to work for me...or that I might have missed certain steps, settings, or configurations. The documentation you linked in your post, I've already went through several times. In mysite.com/simplesaml I am able to "Test configured authentication sources" fine. There is no problem. I'm able to logout via the "Logout" link at the bottom of the successful test page that shows all my attribute names and value.

I'm sorry I'm no expert. I admit I am a newbie to this simplesamlphp setup and I'd appreciated your help  but you're not providing me with any useful information or advice that I have not gone through already.

These are the resources I've gone through regarding this whole simplesamlphp and simpsamlphp_auth setup.


And there are more, this is just the start but you wouldn't know that would you.



-peter

--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/IKnawzlaT2Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

Jaime Perez Crespo

unread,
May 4, 2017, 4:13:26 AM5/4/17
to simple...@googlegroups.com
Hi Chong,

On 3 May 2017, at 18:35 PM, Chong Lor <ljt...@gmail.com> wrote:
> Again, the problem is not that I didn't find any documentation, I have found quite a lot but none of them seems to work for me...or that I might have missed certain steps, settings, or configurations. The documentation you linked in your post, I've already went through several times. In mysite.com/simplesaml I am able to "Test configured authentication sources" fine. There is no problem. I'm able to logout via the "Logout" link at the bottom of the successful test page that shows all my attribute names and value.

Then, SimpleSAMLphp is working fine and the issue is probably somewhere else.

> I'm sorry I'm no expert. I admit I am a newbie to this simplesamlphp setup and I'd appreciated your help but you're not providing me with any useful information or advice that I have not gone through already.

There’s no problem at all with being a newbie. This is what this mailing list is for. However, you need to understand that nobody will be able to help you out if you don’t provide sufficient technical information as well as general information on what you are trying to do. I get your frustration when things don’t work as you expect, but the frustration goes both ways when people demands our help but we don’t even get to know what are they doing or what’s the question. Honestly, at this point I don’t even know what’s the issue now after taking a look at all the messages you have sent here so far.

> These are the resources I've gone through regarding this whole simplesamlphp and simpsamlphp_auth setup.

Ok, let’s start here. “simplesamlphp_auth” is NOT related to SimpleSAMLphp. We can’t help you with that, because nobody in the project is responsible for that, has collaborated with that, or has used it. I understand the misunderstanding because it has “simplesamlphp” in the name. However, this would be the equivalent to asking Microsoft to provide support for every product ever made with “Windows” in its name.

So we can help you out if you have any issues with SimpleSAMLphp itself. But if SimpleSAMLphp works fine and you get an error from Drupal or this “simplesamlphp_auth” plugin, then I’m afraid there’s nothing we can do and you should ask in the appropriate forum. If the way to solve the issue is actually doing something in SimpleSAMLphp and you can’t find how to do that by reading the documentation, then that’s what you should be asking here about.

> https://www.chapterthree.com/blog/how-to-configure-simplesamlphp-for-drupal-8-on-acquia
> https://docs.acquia.com/articles/using-simplesamlphp-acquia-cloud-site
> https://www.drupal.org/project/simplesamlphp_auth
> https://docs.acquia.com/articles/errors-php-log
> http://valuebound.com/resources/blog/how-to-configure-single-sign-on-across-multiple-drupal-8-platforms-or-websites
> https://dev.acquia.com/blog/drupal-8-module-of-the-week/drupal-8-module-of-the-week-simplesamlphp-authentication/05/04/2016/10246
> http://cgit.drupalcode.org/simplesamlphp_auth/tree/README.md?h=8.x-3.x#n116
> https://blt.readthedocs.io/en/8.x/readme/simplesamlphp-setup/
> https://simplesamlphp.org/docs/stable/simplesamlphp-sp
> https://docs.centrify.com/en/centrify/appref/index.html#page/cloudhelp/a-f/appref-drupal-spinit.html
> https://www.drupal.org/node/2426047
> https://www.drupal.org/node/1931394
> https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
> https://drupal.ucsf.edu/creating-automated-roles-myaccess
> https://simplesamlphp.org/docs/development/saml:sp

This documentation is for the latest development version of SimpleSAMLphp, which you shouldn’t be using unless you really know what you are doing (or unless you want to help us out with the development).

> https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted

As far as I understand, you want to use SAML in a Drupal installation. In that case, there’s no point in using this documentation. What you need is a Service Provider, not an Identity Provider. Therefore, what you are “hosting” is an SP, not an IdP, and that documentation is useless for you.

The very same front page of the Drupal plugin you are trying to use made that very clear:

—8<—
Prerequisites
• SimpleSAMLphp - you must have SimpleSAMLphp version 1.6 or newer installed and configured to operate as a service provider (SP).
—>8—

> https://simplesamlphp.org/docs/1.14/core:authproc_attributealter
> https://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_6

Apart from the fact that this documentation is about setting up SimpleSAMLphp as an IdP, which is not what you want, as I understand, you should also pay attention to the warning at the top right of the page. This documentation is for an extremely old version of SimpleSAMLphp, 1.5, from many, many years ago. You should always use the latest version of the software, and the corresponding documentation. I certainly hope you are not using SimpleSAMLphp 1.5.

> And there are more, this is just the start but you wouldn't know that would you.

The thing is, reading tons of documentation from all over the internet without trying to make sense out of it isn’t going to help you. We can’t know what you have done or not, you are right in that. And that’s precisely why you need to explain properly what you are trying to do, what you have done, and what’s wrong. We aren’t fortune-tellers, and trying to guess the responses to all those questions is exhausting and frustrating too, so don’t take it out on Peter because if his responses didn’t help, that’s your own responsibility.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Chong Lor

unread,
May 4, 2017, 7:43:57 AM5/4/17
to SimpleSAMLphp
Jaime,

—8<—
Prerequisites
        • SimpleSAMLphp - you must have SimpleSAMLphp version 1.6 or newer installed and configured to operate as a service provider (SP).
—>8—

Where do I find version 1.6 or higher?  This page, https://simplesamlphp.org/download, only show version 1.14.13.

Thanks!


--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---

You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/IKnawzlaT2Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.

Peter Schober

unread,
May 4, 2017, 7:56:29 AM5/4/17
to SimpleSAMLphp
* Chong Lor <ljt...@gmail.com> [2017-05-04 13:44]:
> Where do I find version 1.6 or higher? This page,
> https://simplesamlphp.org/download, only show version 1.14.13.

"1.14" is higher than "1.6" because 14 > 6.
So "1.6 or higher" also includes 1.14.
-peter

Chong Lor

unread,
May 4, 2017, 8:23:26 AM5/4/17
to SimpleSAMLphp
Sorry, I was looking at the "1" and not the whole number...my stupid mistake. I was looking at this whole thing for so long that my brain no longer functions. My apology.

Chong Lor

unread,
May 4, 2017, 8:25:03 AM5/4/17
to SimpleSAMLphp
To confirm everything in mysite.com/simplesaml works then the problem is probably somewhere else thing, correct? Thanks for the prompt response.

Chong Lor

unread,
May 4, 2017, 8:26:30 AM5/4/17
to SimpleSAMLphp
I mean if everything in mysite.com/simplesaml works...

Jaime Perez Crespo

unread,
May 10, 2017, 5:05:47 AM5/10/17
to simple...@googlegroups.com
Hi Chong,

On 4 May 2017, at 14:25 PM, Chong Lor <ljt...@gmail.com> wrote:
> To confirm everything in mysite.com/simplesaml works then the problem is probably somewhere else thing, correct? Thanks for the prompt response.

That’s correct. However, there could be misconfigurations that lead to errors in the application you are protecting but not in SimpleSAMLphp itself.

What kind of error are you experiencing?

Chong Lor

unread,
May 10, 2017, 7:51:48 AM5/10/17
to SimpleSAMLphp
Thank you all for the support, patience, and your time. I got it working now, everything with simplesamlphp is working as it should. After I use pattern to replace some of the values we received from the IdP, Drupal's automatic roles population works and the logout issue was due to not specify a logout URL when the user signed out. Again, many thanks!

Jaime Perez Crespo

unread,
May 10, 2017, 8:04:45 AM5/10/17
to SimpleSAMLphp
No problem, I’m glad you finally got everything working :-)

On 10 May 2017, at 13:51 PM, Chong Lor <ljt...@gmail.com> wrote:
> Thank you all for the support, patience, and your time. I got it working now, everything with simplesamlphp is working as it should. After I use pattern to replace some of the values we received from the IdP, Drupal's automatic roles population works and the logout issue was due to not specify a logout URL when the user signed out. Again, many thanks!

Reply all
Reply to author
Forward
0 new messages