Could not retrieve the required option 'entityID'

[Murray Collingwood]

I have just upgraded my simplesamlphp (using composer upgrade).

I always hate doing this because there is often things that break!

Anyways, it is done and now it's broke.

Unfortunately the message means very little to me.  What is an 'entityID'?  Where should it be?  What couldn't it be retrieved?  Where should it be?  So many questions that could have been helped by having a better error message.

[6-5-25 11:09pm] [0]: My uncaught exception "SimpleSAML\Assert\AssertionFailedException" with message "authsources['sobs-sp']: Could not retrieve the required option 'entityID'." in /home/sobs/vendor/simplesamlphp/assert/src/Assert.php on line 382

Is somebody able to help me please????

Cheers
Murray

[Sorin Gheorghiu]

Shouldn't 'entityID' for an SP be configured in the authsources.php file?
Here the reference: https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html

Regards

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/c99ea3df-f52b-468c-84fe-c5f4efe5cd3an%40googlegroups.com.

-- 
Sorin Gheorghiu             Tel: +49 7531 88-3198
Universität Konstanz        Raum: B705
78464 Konstanz              sorin.g...@uni-konstanz.de

Kommunikations-, Informations-, Medienzentrum (KIM)
- IT-Dienste Forschung, Lehre, Infrastruktur -

[Murray Collingwood]

Hi Sorin

I have posted responses twice on the google groups site, and both come up with this message:

Did I do something wrong???  Why am I being persecuted like this?

Cheers

Murray

You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/KDjAAAWj30c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/eb721657-d5f6-4bb5-9e18-58a31b1f02ae%40uni-konstanz.de.

--

Murray Collingwood
Focus Computing Pty Ltd

Australia ph 07 3175 0575

New Zealand ph 03 928 1699

http://www.focus-computing.com.au

[Peter Schober]

Murray,

SimpleSAMLphp <simple...@googlegroups.com> [2025-05-06 15:24 CEST]:

> I have just upgraded my simplesamlphp (using composer upgrade).
> I always hate doing this because there is often things that break!

Agreed. What SSP versions did you upgrade from and to?
Did you have a look at the Upgrade Notes for the versions involved
when you performed that unspecified upgrade?
https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes.html

> Unfortunately the message means very little to me. What is an 'entityID'?

In SAML the entityID is the globally unique identifier for a SAML
entity, e.g. for a SAML Service Provider or Identity Provider.

As to why a missing entityID this wasn't a problem for you so far, but
now is, see the 1st bullet point in section "Functional changes" for
the SSP 2.0 release notes,
https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-2.0.html
where it says:

> EntityIDs are no longer auto-generated. Make sure to ...

with more details provided near the bottom of that same page:

https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-2.0.html#upgrading-and-entityids

To minimise the changes affecting your deployment make sure to
set/configure the entityID to the exact same value that was previously
autogenerated by the software, as explained there.
(If you cannot determine the value the system previously autogenerated
the Identity Provider/s accessing your SP may still have a copy if it
in their SAML 2.0 Metadata describing your SP.)

> Where should it be?

> [6-5-25 11:09pm] [0]: My uncaught exception
> "SimpleSAML\Assert\AssertionFailedException" with message
> "authsources['sobs-sp']: Could not retrieve the required option
> 'entityID'." in /home/sobs/vendor/simplesamlphp/assert/src/Assert.php on
> line 382

From the name 'sobs-sp' you've set I'm guessing this is about
configuring a SAML Service Provider. The first section of the
"SimpleSAMLphp Service Provider QuickStart" documentation at
https://simplesamlphp.org/docs/2.4/simplesamlphp-sp.html
tells you *where* it should be and how to set it.

Of course in your deployment it could be elsewhere, depending on how
you installed and configured SSP. So your task would be finding your
authsources.php and then making the changes mentioned in the SSP 2.0
release notes referenced above.

HTH,
-peter

[Murray Collingwood]

Hi Peter

Thanks for the reply, it is helpful, however more questions are being raised.

1. I have updated my authsources.php with the new EntityID

2. Modules.  The only record I could find was in the config.php

'module.enable' => array(
'metarefresh' => true,
'cron' => false
),

I do remember a few years ago I attempted to implement automatic exchange of certificates with the iDPs I'm connecting with, so I started working on the metarefresh module, but I couldn't get it to work.

Do we have a way of automatically updating the certificates when they get near expiry? Currently we are still loading them manually.

There's no changes required here that I'm aware of.

3. Base URL changes - I've never been aware of an admin menu, so I guess I don't need to worry about this one.

4. "SAML AuthnRequests" is that only applicable to iDP?  As an SP I don't think there is anything required.

5. NameIDFormat appears to have changed, but it's not clear whether this does need changing.  Does it impact the iDP or only the SP?

We have ~60 schools configured to authenticate using SAML, where each school has their own iDP.

If I change all of the NameIDFormat values for all these schools, will they still be able to authenticate?  

What is the impact of changing this parameter?

6. Again in my config.php I found authproc.idp (and reference to a filter) and authproc.sp (with no reference to a filter).  Can I assume the authproc filter is only for iDP?

7. "Sessions are no longer backwards compatible with previous versions. Make sure to clear your session cache during the upgrade process. How to do this depends on your session backend." 
Can you provide some examples of what this might look like?  I think my sessions are stored in memcached, so if I restart memcached would that be sufficient?

Cheers

Murray

PS Sorry to ask so many questions - I'm a full stack developer and keeping up with all of the libraries, upgrades, changes required (because people don't always build backwards compatibility these days), not to mention the libraries that are deprecated and we now have to change 100's of lines of code because we have to move to a new library, and then there is all of the system software, web software, security, maintaining unit testing, API interfaces with multiple sites and systems, customer development requests, and a business to run.  It really is hard to keep up, so the more detail you can include in the upgrade documentation is better.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/KDjAAAWj30c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/aBo5OXPNEPgeRau5%40aco.net.

[Murray Collingwood]

Hi Peter

So, I've had another go at getting the SimpleSamlPHP upgrade in.

The current error I'm getting:

"SimpleSAML\Error\UnserializableException" with message "saml20-idp-remote/'https://sts.windows.net/6dc58e6b-66b4-45f8-a148-bb48b9a3cc94/'['SingleSignOnService']:['Location']: Expected a string or an array."

The code seems to be coming from saml20-idp-remote.php and the metadata I'm generating looks like this:

[12-May-2025 21:14:09 Australia/Brisbane] METADATA: Array

(

    [http://adfs.riverview.nsw.edu.au/adfs/services/trust] => Array

        (

            [assertion.encryption] => 

            [name] => Array

                (

                    [en] => SOBS network operations

                )

            [description] => SOBS

            [certificate] => EJu8YVedE4a6YPeVuzyNezuT_1.cer

            [SingleSignOnService] => Array

                (

                    [Location] => https://adfs.riverview.nsw.edu.au/adfs/ls/

                    [Binding] => urn:oasis:names:tc:SAML:2.0:nameid-format:transient

                )

            [SingleLogoutService] => Array

                (

                    [Location] => https://adfs.riverview.nsw.edu.au/adfs/ls/

                    [Binding] => urn:oasis:names:tc:SAML:2.0:nameid-format:transient

                )

        )

)

Please tell me what have I done wrong?

Cheers

Murray

[Murray Collingwood]

Hi Peter

I've progressed, and regressed.

I now have this metadata generated.

[12-May-2025 23:06:24 Australia/Brisbane] METADATA: Array

(

    [https://saml.example.com/entityid] => Array

        (

            [assertion.encryption] => 

            [name] => Array

                (

                    [en] => SOBS network operations

                )

            [description] => Test College

            [certificate] => E9AhEGUnaHazAqYLA8ejA9Ym_1.pem

            [SingleSignOnService] => Array

                (

                    [0] => Array

                        (

                            [Location] => https://mocksaml.com/api/saml/sso

                            [Binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

                        )

                )

            [SingleLogoutService] => Array

                (

                    [0] => Array

                        (

                            [Location] => https://mocksaml.com/api/saml/sso

                            [Binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

                        )

                )

            [NameIDFormat] => urn:oasis:names:tc:SAML:2.0:nameid-format:transient

        )

)

I'm directed off to the site to login, but I'm not getting any valid URL back, so it defaults to the home page (ie my default page when I get a page not found error 404)

As you can see I've been testing this with mocksaml, but it's doing the same - it's just not returning me to the application.

I'm really stuck and am not wanting to roll back to SAML 1.x 

Do you have any time available to help me please?

Cheers

Murray

[Tim van Dijen]

Hey Murray!

Can I see this for myself? You have a url I can access to reproduce your issue?

- Tim

Op maandag 12 mei 2025 om 15:15:56 UTC+2 schreef mur...@focus-computing.com.au:

[Murray Collingwood]

Hi Tim

It's 1:27am, I have just rolled everything back to SampleSAMLPHP 1.x

I need to sleep and tackle this another day.

I was trying to setup a test using mocksaml.com, it was giving me the error below.

However, I've rolled back to SimpleSAMLPHP 1.x and it's still not working.  Not really sure how to configure mocksaml.com

You can try this one: https://sobs.com.au/ui/login.php?schoolid=1622

Cheers

Murray

To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/2ca9bcef-35b0-4261-aebb-0229564b3508n%40googlegroups.com.

[Murray Collingwood]

Hi Tim

I've rolled back all of the changes to SimpleSAMLPHP 1.x and customers can log in again.

One of the issues I have is I don't have my own iDP to test with, then I found the site mocksaml.com, so I tried to login using this site.  

So I'm trying to get this working with SimpleSAMLPHP 1.x so that when I upgrade to 2.4 I can use this as a test to ensure it is working.

I used the URL I sent you in the last email: https://sobs.com.au/ui/login.php?schoolid=1622

The login page appears:

When I click "Sign in" I'm redirected to: https://sobs.com.au/simplesaml/module.php/saml/sp/saml2-acs.php/sobs-sp and a blank page.

Is there any way I can get this working as a test site?

If not, what can I use as a test site?

Cheers

Murray

[Dick Visser]

On Tue, 13 May 2025 at 03:38, 'Murray Collingwood' via SimpleSAMLphp <simple...@googlegroups.com> wrote:

Hi Tim

I've rolled back all of the changes to SimpleSAMLPHP 1.x and customers can log in again.

If your system is a simple VM, then a relatively easy way to test things is to clone the VM (or otherwise spin up a copy) and bring it online at a different IP address.

If you then add that to your own /etc/hosts file, you can test the upgrade without affecting regular users.

Dick

[Tim van Dijen]

A blank page is an indicator for a PHP fatal error. There should be a meaningful error in your logs (either SSP-logs, or PHP/webserver logs).

- Tim

Op dinsdag 13 mei 2025 om 03:38:17 UTC+2 schreef mur...@focus-computing.com.au: