Login via "Test configured authentication sources" works but not with SP via SimpleSAMLphp-IdP to IdP
534 views
Skip to first unread message
emil.he...@gmail.com
Jul 14, 2017, 11:49:04 AM7/14/17
to SimpleSAMLphp
We have a working SimpleSAMLphp SP setup talking to a IdP and successfully logging them into our MediaWiki. (MediaWiki -> SP -> IdP) You can also login with the "Test configured authentication sources". (SP -> IdP)
What we've been trying to do now is to make SimpleSAMLphp act as a IdP, bridging our Node.js app. (Node.js SP -> SimpleSAMLphp-IdP -> IdP) This only work if you have signed in before from MediaWiki or the "Test configured authentication sources". If you haven't signed in with them it will fail when the Node.js app receives the response from SimpleSAMLphp-IdP.
This is the SAMLresponse when already signed in (via MediaWiki or the "Test configured authentication sources"):
This is the SAMLresponse when not signed in:
saml20-idp-hosted.php:
saml20-sp-remote.php:
This is the metadata.xml for the above:
saml20-idp-remote.php:
This is the SAML tracer log for a failed login (when not logged in via MediaWiki nor "Test configured authentication sources"):
This is the SAML tracer log for a successful login:
Why can't I sign in regulary?
What we've been trying to do now is to make SimpleSAMLphp act as a IdP, bridging our Node.js app. (Node.js SP -> SimpleSAMLphp-IdP -> IdP) This only work if you have signed in before from MediaWiki or the "Test configured authentication sources". If you haven't signed in with them it will fail when the Node.js app receives the response from SimpleSAMLphp-IdP.
This is the SAMLresponse when already signed in (via MediaWiki or the "Test configured authentication sources"):
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6cd0049eaf20d0f3d485b37920f58d45c3ab3bf5b8" Version="2.0" IssueInstant="2017-07-14T15:15:47Z" Destination="https://auth.example.se/login/callback" InResponseTo="_ece5b7fd65b7178fb0a0">
<saml:Issuer>https://sp.example.se/saml2/idp/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_6cd0049eaf20d0f3d485b37920f58d45c3ab3bf5b8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>t116UjBAX5xTUJRgiZhAWVG5J9Q=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>RFDmdTS39BsVdR0jZwf4NmaLz1EAWqJ4LZHUXjC/RETjG1o4e1vb1Fv9mSWwjqiLpD+NbAWlfdXfx89x5Em3CsDB0ISG0YK6ULi7CbPRwfG+IFVrGYh6P7btqYszsqhjNZqtwpkPmEkx6wJHNZy8U6V55WThwOtd2Dz2PBrWw47kSCpA0wrd6pryJ1fhjPQvmZm9T1hTQMF+S8jE9NNDDCT8BeQCYj0cnX/UTireJcaiQruiwUKl6cJjdHPDAplC+AbFm3de51ytpqnsIUe4qdoQEpx+n+OR0s2dq0NrLoz3Yrm6oESTPzrCGdih/dC3O7vis/I6q075MzpkMcyCGg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID+zCCAuOgAwIBAgIJAIQN1ObL3C4UMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJTRTEPMA0GA1UECAwGU3dlZGVuMRMwEQYDVQQHDApHb3RoZW5idXJnMR4wHAYDVQQKDBVEYXRhdGVrbm9sb2dzZWt0aW9uZW4xCjAIBgNVBAsMAUQxFDASBgNVBAMMC0hhY2tlaG9sa2VuMRwwGgYJKoZIhvcNAQkBFg1kaGFja0BkdGVrLnNlMB4XDTE3MDIxMDE4MzIyMFoXDTI3MDIxMDE4MzIyMFowgZMxCzAJBgNVBAYTAlNFMQ8wDQYDVQQIDAZTd2VkZW4xEzARBgNVBAcMCkdvdGhlbmJ1cmcxHjAcBgNVBAoMFURhdGF0ZWtub2xvZ3Nla3Rpb25lbjEKMAgGA1UECwwBRDEUMBIGA1UEAwwLSGFja2Vob2xrZW4xHDAaBgkqhkiG9w0BCQEWDWRoYWNrQGR0ZWsuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJqgUDbv7kISt8z5Rbq5zV3KipTHfZZ3oRKGKiHDxM38SF9ndLnBV/rHkSafuvHbTBtKFQMSu3ImolTDIdV8mn1At9GWHuLNijy3J9xRV+92shaVIMsx40SzfIzd8jbxMp9ZamrwwUrMRaivRYDWph8cS3Us99nFNTJ+cTsxQovAxv8VER8F+nFovQ+Xz8uTzcLEnKOp9Fr3hGTS9q+tCJ1F1NGHT0kwWAO9SrK3aUhgwlUM1GcpyN3uz78vnF2nwMzVcMrbHOZcESp9Yz62grKHAhSlPGMnXx1HnpzHgzFrXyL7cpN8yLxeBLRUNlBsut8cm1ueRgOxZhu2LRFevAgMBAAGjUDBOMB0GA1UdDgQWBBTdKjvF0jScRLV7h56kaDjlmQjvEzAfBgNVHSMEGDAWgBTdKjvF0jScRLV7h56kaDjlmQjvEzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCw7bXx72ClaClbSbJP3Vbk8lPpoMupowGy9EG0irV3lQsSingJR5QbKKzK4Jjndd1oflXkBKV6PXJgoFmecmmCFh4OKEmtLnfjOeIWmCV3AJ4XHd+fVS06U+H6oqFgk8WYpANk2qVkNp1FSYTmkp29GwU3NHZRgCHMWa23MtyzBSof46xChjgQxrt7bWRgqtBv2eHVlIwDRjh7CVHo6qpgFvLDUPLQP1tNsu3W+ESlx823THlwzXtijCbwNvx4nRYyIlLtOmmzkYvsLLX6XGLO8aSAB+iRtF/cj+5fmRzSmvMkTwR2hw3y+WiXS+RxWcGjeB9wrE5P9igSFTR4Er2Z</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_bc17fd67ee6e4b209dbc338cd34163b70ff370b1f6" Version="2.0" IssueInstant="2017-07-14T15:15:47Z">
<saml:Issuer>https://sp.example.se/saml2/idp/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_bc17fd67ee6e4b209dbc338cd34163b70ff370b1f6">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>tiy7UyvUKJbBtfTh9QwJb4cXOEw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>OjjszpoBJr8KY7Soe5uo8F02T4sVpb1RWJCGvJiwT8n663NYpXfK6cCxD91b16aGsunUmAPVUyb2r235eevEIXLVbsFAwL+MFs71bUnSbvhyiTVPF/ug0ADnLAfmjgfLMtKp0xhTMVHYLxK9r3Q1zW1WzFlssjQqchuRNn30jsJ5i2bgtUdmCCzmlBGF6T22PvkWaj1FieqaFOytvYzNKWY2vXkx60qRXwAiMOWk6VgEg9meaD1pxaEwQjOv0/rKUt3rLOvOM0aLAI8Wpd1gvT9n4f1BiiKn3J+qP4DF82MFEioFSsH4+3ClsSbYjymUpJYX1OJgtvO3KyRUku+N+Q==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID+zCCAuOgAwIBAgIJAIQN1ObL3C4UMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJTRTEPMA0GA1UECAwGU3dlZGVuMRMwEQYDVQQHDApHb3RoZW5idXJnMR4wHAYDVQQKDBVEYXRhdGVrbm9sb2dzZWt0aW9uZW4xCjAIBgNVBAsMAUQxFDASBgNVBAMMC0hhY2tlaG9sa2VuMRwwGgYJKoZIhvcNAQkBFg1kaGFja0BkdGVrLnNlMB4XDTE3MDIxMDE4MzIyMFoXDTI3MDIxMDE4MzIyMFowgZMxCzAJBgNVBAYTAlNFMQ8wDQYDVQQIDAZTd2VkZW4xEzARBgNVBAcMCkdvdGhlbmJ1cmcxHjAcBgNVBAoMFURhdGF0ZWtub2xvZ3Nla3Rpb25lbjEKMAgGA1UECwwBRDEUMBIGA1UEAwwLSGFja2Vob2xrZW4xHDAaBgkqhkiG9w0BCQEWDWRoYWNrQGR0ZWsuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJqgUDbv7kISt8z5Rbq5zV3KipTHfZZ3oRKGKiHDxM38SF9ndLnBV/rHkSafuvHbTBtKFQMSu3ImolTDIdV8mn1At9GWHuLNijy3J9xRV+92shaVIMsx40SzfIzd8jbxMp9ZamrwwUrMRaivRYDWph8cS3Us99nFNTJ+cTsxQovAxv8VER8F+nFovQ+Xz8uTzcLEnKOp9Fr3hGTS9q+tCJ1F1NGHT0kwWAO9SrK3aUhgwlUM1GcpyN3uz78vnF2nwMzVcMrbHOZcESp9Yz62grKHAhSlPGMnXx1HnpzHgzFrXyL7cpN8yLxeBLRUNlBsut8cm1ueRgOxZhu2LRFevAgMBAAGjUDBOMB0GA1UdDgQWBBTdKjvF0jScRLV7h56kaDjlmQjvEzAfBgNVHSMEGDAWgBTdKjvF0jScRLV7h56kaDjlmQjvEzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCw7bXx72ClaClbSbJP3Vbk8lPpoMupowGy9EG0irV3lQsSingJR5QbKKzK4Jjndd1oflXkBKV6PXJgoFmecmmCFh4OKEmtLnfjOeIWmCV3AJ4XHd+fVS06U+H6oqFgk8WYpANk2qVkNp1FSYTmkp29GwU3NHZRgCHMWa23MtyzBSof46xChjgQxrt7bWRgqtBv2eHVlIwDRjh7CVHo6qpgFvLDUPLQP1tNsu3W+ESlx823THlwzXtijCbwNvx4nRYyIlLtOmmzkYvsLLX6XGLO8aSAB+iRtF/cj+5fmRzSmvMkTwR2hw3y+WiXS+RxWcGjeB9wrE5P9igSFTR4Er2Z</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID SPNameQualifier="https://auth.example.se/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_8c3aedfb9b410fd2caafa378901fcbb233b4d60898</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2017-07-14T15:20:47Z" Recipient="https://auth.example.se/login/callback" InResponseTo="_ece5b7fd65b7178fb0a0"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-07-14T15:15:17Z" NotOnOrAfter="2017-07-14T15:20:47Z">
<saml:AudienceRestriction>
<saml:Audience>https://auth.example.se/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-07-14T15:15:38Z" SessionNotOnOrAfter="2017-07-14T23:15:38Z" SessionIndex="_c55e4a79f9f460206f71b6a4e18c7564364874a77e">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
<saml:AuthenticatingAuthority>http://idp.externalIDP.se/adfs/services/trust</saml:AuthenticatingAuthority>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="fullname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">RealNameHere</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">usernamehere</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">em...@address.here</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>This is the SAMLresponse when not signed in:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_b5983182861cda3eeb46dffceed00863694e67884d" Version="2.0" IssueInstant="2017-07-14T15:20:49Z" Destination="https://auth.example.se/login/callback" InResponseTo="_2011c07d17afcde1dbca">
<saml:Issuer>https://sp.example.se/saml2/idp/metadata.php</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_b5983182861cda3eeb46dffceed00863694e67884d">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Nxo6yAZrnqYJbBjjt0oFZeW31AE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LX/aBssvROJ76v8V8w06/prFs0C+BqgjK2Tt7gmAWSx9OvMAzh+0mw0NpvNXVzaX19mZo6sE6p3TUu2qyPHPc8YAfg542cUqqHJMnwbGNuJvyapkBXuiYgijH6PhnrnUsmwYeFIOcBnKdbZshr+/byYJehhadqFYZkT+ScX1PFMwuOgtN1bpthne+Xy3i8ck6uroBsHTwXZkPzPcJ3SgouIZxePYT/Ejv6vA6z4lUAAE+No/Cp8RO/yAWoz2RkbM4XW8xx+6eXcT9V6A2rZyhrQTVy6/wSaz90fMvrpsGIoY9q1XbuEmwdM4QgLNqWj53hizhkrc1Vh1/k10/R9g4w==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID+zCCAuOgAwIBAgIJAIQN1ObL3C4UMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJTRTEPMA0GA1UECAwGU3dlZGVuMRMwEQYDVQQHDApHb3RoZW5idXJnMR4wHAYDVQQKDBVEYXRhdGVrbm9sb2dzZWt0aW9uZW4xCjAIBgNVBAsMAUQxFDASBgNVBAMMC0hhY2tlaG9sa2VuMRwwGgYJKoZIhvcNAQkBFg1kaGFja0BkdGVrLnNlMB4XDTE3MDIxMDE4MzIyMFoXDTI3MDIxMDE4MzIyMFowgZMxCzAJBgNVBAYTAlNFMQ8wDQYDVQQIDAZTd2VkZW4xEzARBgNVBAcMCkdvdGhlbmJ1cmcxHjAcBgNVBAoMFURhdGF0ZWtub2xvZ3Nla3Rpb25lbjEKMAgGA1UECwwBRDEUMBIGA1UEAwwLSGFja2Vob2xrZW4xHDAaBgkqhkiG9w0BCQEWDWRoYWNrQGR0ZWsuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJqgUDbv7kISt8z5Rbq5zV3KipTHfZZ3oRKGKiHDxM38SF9ndLnBV/rHkSafuvHbTBtKFQMSu3ImolTDIdV8mn1At9GWHuLNijy3J9xRV+92shaVIMsx40SzfIzd8jbxMp9ZamrwwUrMRaivRYDWph8cS3Us99nFNTJ+cTsxQovAxv8VER8F+nFovQ+Xz8uTzcLEnKOp9Fr3hGTS9q+tCJ1F1NGHT0kwWAO9SrK3aUhgwlUM1GcpyN3uz78vnF2nwMzVcMrbHOZcESp9Yz62grKHAhSlPGMnXx1HnpzHgzFrXyL7cpN8yLxeBLRUNlBsut8cm1ueRgOxZhu2LRFevAgMBAAGjUDBOMB0GA1UdDgQWBBTdKjvF0jScRLV7h56kaDjlmQjvEzAfBgNVHSMEGDAWgBTdKjvF0jScRLV7h56kaDjlmQjvEzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCw7bXx72ClaClbSbJP3Vbk8lPpoMupowGy9EG0irV3lQsSingJR5QbKKzK4Jjndd1oflXkBKV6PXJgoFmecmmCFh4OKEmtLnfjOeIWmCV3AJ4XHd+fVS06U+H6oqFgk8WYpANk2qVkNp1FSYTmkp29GwU3NHZRgCHMWa23MtyzBSof46xChjgQxrt7bWRgqtBv2eHVlIwDRjh7CVHo6qpgFvLDUPLQP1tNsu3W+ESlx823THlwzXtijCbwNvx4nRYyIlLtOmmzkYvsLLX6XGLO8aSAB+iRtF/cj+5fmRzSmvMkTwR2hw3y+WiXS+RxWcGjeB9wrE5P9igSFTR4Er2Z</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
</samlp:Status>
</samlp:Response>saml20-idp-hosted.php:
<?php
$metadata['__DYNAMIC:1__'] = array(
//$metadata['hosted'] = array(
'OrganizationName' => array(
'en' => 'xyz',
'se' => 'xyz',
),
'OrganizationURL' => 'https://www.example.se/',
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => 'sp.example.se',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'external',
/*
* Unsure if this is needed /Emil Hemdal 2017-07-14
*/
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);saml20-sp-remote.php:
<?php
/* This file was generated by the metarefresh module at 2017-07-14T15:01:05Z
Do not update it manually as it will get overwritten
*/
$metadata['https://auth.example.se/'] = array (
'entityid' => 'https://auth.example.se/',
'entityDescriptor' => 'PG1kOkVu...',
'contacts' =>
array (
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://auth.example.se/login/callback',
'index' => 1,
'isDefault' => true,
),
),
'SingleLogoutService' =>
array (
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIGJD...',
',
),
),
'metarefresh:src' => 'https://auth.example.se/metadata.xml',
'expire' => 1500390065,
);
?>
This is the metadata.xml for the above:
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://auth.example.se/" ID="https___auth_example_se_">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIGJDCCB...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://auth.example.se/login/callback"/>
</SPSSODescriptor>
</EntityDescriptor>saml20-idp-remote.php:
<?php
/* This file was generated by the metarefresh module at 2017-07-14T15:01:05Z
Do not update it manually as it will get overwritten
*/
$metadata['http://idp.example.se/adfs/services/trust'] = array (
'entityid' => 'http://idp.example.se/adfs/services/trust',
'entityDescriptor' => 'PG1kOk...',
'description' =>
array (
'en' => 'example',
),
'OrganizationName' =>
array (
'en' => 'example',
),
'name' =>
array (
'sv' => 'example',
'en' => 'example',
),
'OrganizationDisplayName' =>
array (
'sv' => 'example',
'en' => 'example',
),
'url' =>
array (
'en' => 'http://www.example.se',
),
'OrganizationURL' =>
array (
'en' => 'http://www.example.se',
),
'contacts' =>
array (
0 =>
array (
'contactType' => 'technical',
'company' => 'example',
'surName' => 'IT-system',
'emailAddress' =>
array (
0 => 'mailto:bi...@example.se',
),
'telephoneNumber' =>
array (
0 => '+46 xx xxx xxxx',
),
),
1 =>
array (
'contactType' => 'support',
'company' => 'example',
'surName' => 'IT-support',
'emailAddress' =>
array (
0 => 'mailto:sup...@example.se',
),
'telephoneNumber' =>
array (
0 => '+46 xx xxx xxxx',
),
),
),
'metadata-set' => 'saml20-idp-remote',
'expire' => 1500390061,
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.example.se/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://idp.example.se/adfs/ls/',
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.example.se/adfs/ls/',
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://idp.example.se/adfs/ls/',
),
),
'ArtifactResolutionService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => 'https://idp.example.se/adfs/services/trust/artifactresolution',
'index' => 0,
),
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
2 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
),
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIEgjC...',
),
1 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIH8zCCB...',
),
2 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIEazCCA1O...',
),
),
'scope' =>
array (
0 => 'example.se',
),
'EntityAttributes' =>
array (
'urn:oasis:names:tc:SAML:attribute:assurance-certification' =>
array (
0 => 'http://www.xxxxxx.se/policy/assurance/al1',
),
),
'UIInfo' =>
array (
'DisplayName' =>
array (
'sv' => 'example',
'en' => 'example',
),
'Description' =>
array (
'sv' => 'Identity Provider för example',
'en' => 'Identity Provider for example',
),
'InformationURL' =>
array (
'sv' => 'http://www.example.se/',
'en' => 'http://www.example.se/en/',
),
'PrivacyStatementURL' =>
array (
),
),
'DiscoHints' =>
array (
'IPHint' =>
array (
0 => 'xxx.xx.x.x/16',
),
'DomainHint' =>
array (
0 => 'example.se',
),
'GeolocationHint' =>
array (
0 => 'geo:xx.xxxxxxx,xx.xxxxxxx',
),
),
'metarefresh:src' => 'https://xxx.xxxxx.se/md/xxxxx-idp.xml',
);This is the SAML tracer log for a failed login (when not logged in via MediaWiki nor "Test configured authentication sources"):
{"requests":[{"method":"GET","url":"https://auth.example.se/login","requestHeaders":[["Host","auth.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://auth.example.se/"],["Cookie","connect.sid={hash:71a4a75c6b66eda64ea4b4236e150243384875d8}"],["DNT","1"]],"get":[],"postData":"","post":[],"saml":null,"responseStatus":302,"responseStatusText":"Found","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:33:42 GMT"],["Content-Length","0"],["X-Powered-By","Express"],["Location","https://sp.example.se/saml2/idp/SSOService.php?SAMLRequest=nVPBbuIwEP2VyHcSHCBoLUJFQatF6m4jku5hL5VxhmLVsb0ep2X%2Ffk0gFYeWAydLM8%2FPb94bz%2B4OjYrewKE0Oic0HpK7%2BQx5oyxbtH6vN%2FC3BfRRgGlkXSMnrdPMcJTING8AmResXPx8YGk8ZNYZb4RRJFqvcvKcjbbphO%2Bm2yzNJpSP6YRmJPrdPxhuBCBiC2uNnmsfSkM6HQynAzqu6ISNRmycxtm30R8SFWfqe6lrqV%2Bu69ieQMh%2BVFUxKB7LikQLRHA%2BPLw0GtsGXAnuTQp42jzkZO%2B9RZYkPIwd1x5eY4REmRepE8GV2nLxSqJV8EJq7jvx%2FQ20H%2FijQWkia5uU5eOZPbZ7S06msm5Ud%2BHm9SF4L5jMP5U3Sy5Y%2B9x%2BBZr1qjBKin%2B35PbduIb7r9E0pl1F1oNdB2XQcKkWde0AMbislHlfOuAecuJdCyTppZ23Ceput0IKHg437dbSNJY7iccY4MCF7w2%2BJF6q4N8GdrfYfRUmmDhSh3IRjnfj6uNqggiDVY5rtMb5czSf6Zmfel%2FY8dG9%2FH%2Fz%2Fw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=cwWhag71BOkjfVRqfV3rjR3sqKn1RfuSZou2nzYNMfPAq3Z0JnVwGgcziEfmzD9wc2g91eootpvaHHA6btfAxCsskHZvACBmh9KnMVwPkGY%2BVSqUboPeGXZOf5mHBK%2Bt6g2CsOGWfHv9PYj09ThybpT8S3gCSwCAeFTXaESgUqu7SBnfWFTBr2A76SUEesYLHCQnDPxIStGD07Fyi6ixUU2tgibgLei1qwbB0ceg7wDkK0jSwy0%2FFWVcRm4hkzPkFqIcyWe8aO10KAUpS%2FmzVUzaCXghbUPTTp%2FARzQS7k57xFQ3%2FtUF%2FfbHMSg8Fanmq3RqlG1PPRIfJ0DvhFV1B4Vc3N8BTuQ1UsW1xUyxzHkJrrmYrcA8VVEDLHSM0j4WceZyHf%2BIeB1JIHg4B8KMkgZvenqTcjtfiv554QwskU2sUtz%2BUT4b1yx6MAnj6drWRWcL4rOSVURxw4teXYNBho8xYJYeWciKi5gWzn5CNHJv599HbIrXfAEp%2Bsj4PobRWwS2%2B8AYSwi428uSzYV1%2FEN7ByxhoCd2UTgAui9vqWF5Tx6iglV4fyamCzPV1fnitaaIqYQg3KJiSri9tKEhw5XAGNBhl7Cdpa9kn%2Fv1la6nTuPukrt5YnS0jVmIttQK2WPhXhh2UjfmpvDZ%2FbwGyjdDZKATLLtbXZqE9sM7rX0%3D"],["X-Content-Type-Options","nosniff"],["X-Firefox-Spdy","h2"]],"id":0},{"method":"GET","url":"https://sp.example.se/saml2/idp/SSOService.php?SAMLRequest=nVPBbuIwEP2VyHcSHCBoLUJFQatF6m4jku5hL5VxhmLVsb0ep2X%2Ffk0gFYeWAydLM8%2FPb94bz%2B4OjYrewKE0Oic0HpK7%2BQx5oyxbtH6vN%2FC3BfRRgGlkXSMnrdPMcJTING8AmResXPx8YGk8ZNYZb4RRJFqvcvKcjbbphO%2Bm2yzNJpSP6YRmJPrdPxhuBCBiC2uNnmsfSkM6HQynAzqu6ISNRmycxtm30R8SFWfqe6lrqV%2Bu69ieQMh%2BVFUxKB7LikQLRHA%2BPLw0GtsGXAnuTQp42jzkZO%2B9RZYkPIwd1x5eY4REmRepE8GV2nLxSqJV8EJq7jvx%2FQ20H%2FijQWkia5uU5eOZPbZ7S06msm5Ud%2BHm9SF4L5jMP5U3Sy5Y%2B9x%2BBZr1qjBKin%2B35PbduIb7r9E0pl1F1oNdB2XQcKkWde0AMbislHlfOuAecuJdCyTppZ23Ceput0IKHg437dbSNJY7iccY4MCF7w2%2BJF6q4N8GdrfYfRUmmDhSh3IRjnfj6uNqggiDVY5rtMb5czSf6Zmfel%2FY8dG9%2FH%2Fz%2Fw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=cwWhag71BOkjfVRqfV3rjR3sqKn1RfuSZou2nzYNMfPAq3Z0JnVwGgcziEfmzD9wc2g91eootpvaHHA6btfAxCsskHZvACBmh9KnMVwPkGY%2BVSqUboPeGXZOf5mHBK%2Bt6g2CsOGWfHv9PYj09ThybpT8S3gCSwCAeFTXaESgUqu7SBnfWFTBr2A76SUEesYLHCQnDPxIStGD07Fyi6ixUU2tgibgLei1qwbB0ceg7wDkK0jSwy0%2FFWVcRm4hkzPkFqIcyWe8aO10KAUpS%2FmzVUzaCXghbUPTTp%2FARzQS7k57xFQ3%2FtUF%2FfbHMSg8Fanmq3RqlG1PPRIfJ0DvhFV1B4Vc3N8BTuQ1UsW1xUyxzHkJrrmYrcA8VVEDLHSM0j4WceZyHf%2BIeB1JIHg4B8KMkgZvenqTcjtfiv554QwskU2sUtz%2BUT4b1yx6MAnj6drWRWcL4rOSVURxw4teXYNBho8xYJYeWciKi5gWzn5CNHJv599HbIrXfAEp%2Bsj4PobRWwS2%2B8AYSwi428uSzYV1%2FEN7ByxhoCd2UTgAui9vqWF5Tx6iglV4fyamCzPV1fnitaaIqYQg3KJiSri9tKEhw5XAGNBhl7Cdpa9kn%2Fv1la6nTuPukrt5YnS0jVmIttQK2WPhXhh2UjfmpvDZ%2FbwGyjdDZKATLLtbXZqE9sM7rX0%3D","requestHeaders":[["Host","sp.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://auth.example.se/"],["DNT","1"]],"get":[["SAMLRequest","nVPBbuIwEP2VyHcSHCBoLUJFQatF6m4jku5hL5VxhmLVsb0ep2X/fk0gFYeWAydLM8/Pb94bz+4OjYrewKE0Oic0HpK7+Qx5oyxbtH6vN/C3BfRRgGlkXSMnrdPMcJTING8AmResXPx8YGk8ZNYZb4RRJFqvcvKcjbbphO+m2yzNJpSP6YRmJPrdPxhuBCBiC2uNnmsfSkM6HQynAzqu6ISNRmycxtm30R8SFWfqe6lrqV+u69ieQMh+VFUxKB7LikQLRHA+PLw0GtsGXAnuTQp42jzkZO+9RZYkPIwd1x5eY4REmRepE8GV2nLxSqJV8EJq7jvx/Q20H/ijQWkia5uU5eOZPbZ7S06msm5Ud+Hm9SF4L5jMP5U3Sy5Y+9x+BZr1qjBKin+35PbduIb7r9E0pl1F1oNdB2XQcKkWde0AMbislHlfOuAecuJdCyTppZ23Ceput0IKHg437dbSNJY7iccY4MCF7w2+JF6q4N8GdrfYfRUmmDhSh3IRjnfj6uNqggiDVY5rtMb5czSf6Zmfel/Y8dG9/H/z/w=="],["SigAlg","http://www.w3.org/2000/09/xmldsig#rsa-sha1"],["Signature","cwWhag71BOkjfVRqfV3rjR3sqKn1RfuSZou2nzYNMfPAq3Z0JnVwGgcziEfmzD9wc2g91eootpvaHHA6btfAxCsskHZvACBmh9KnMVwPkGY+VSqUboPeGXZOf5mHBK+t6g2CsOGWfHv9PYj09ThybpT8S3gCSwCAeFTXaESgUqu7SBnfWFTBr2A76SUEesYLHCQnDPxIStGD07Fyi6ixUU2tgibgLei1qwbB0ceg7wDkK0jSwy0/FWVcRm4hkzPkFqIcyWe8aO10KAUpS/mzVUzaCXghbUPTTp/ARzQS7k57xFQ3/tUF/fbHMSg8Fanmq3RqlG1PPRIfJ0DvhFV1B4Vc3N8BTuQ1UsW1xUyxzHkJrrmYrcA8VVEDLHSM0j4WceZyHf+IeB1JIHg4B8KMkgZvenqTcjtfiv554QwskU2sUtz+UT4b1yx6MAnj6drWRWcL4rOSVURxw4teXYNBho8xYJYeWciKi5gWzn5CNHJv599HbIrXfAEp+sj4PobRWwS2+8AYSwi428uSzYV1/EN7ByxhoCd2UTgAui9vqWF5Tx6iglV4fyamCzPV1fnitaaIqYQg3KJiSri9tKEhw5XAGNBhl7Cdpa9kn/v1la6nTuPukrt5YnS0jVmIttQK2WPhXhh2UjfmpvDZ/bwGyjdDZKATLLtbXZqE9sM7rX0="]],"postData":"","post":[],"saml":"<?xml version=\"1.0\"?><samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_63b25af7b62651a41516\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:33:42.693Z\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"https://auth.example.se/login/callback\" Destination=\"https://sp.example.se/saml2/idp/SSOService.php\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">https://auth.example.se/</saml:Issuer><samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\" AllowCreate=\"true\"/><samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\"><saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>","responseStatus":302,"responseStatusText":"Found","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:33:42 GMT"],["Content-Type","text/html; charset=UTF-8"],["Location","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["Set-Cookie","SimpleSAMLSessionID={hash:ac1384dabded25b8306ac621ccc7fa186226de16}; path={hash:42099b4af021e53fd8fd4e056c2568d7c2e3ffa8}; domain={hash:62c77791475b77b0ab9be846ba7bd4c2b59bcf0e};={hash:e81f971a363b6968df493f9c965f3d2197622d81};={hash:3bdf919e4ad9fa1e4d5a7bc92d744acf61457f3e}"],["Pragma","no-cache"],["Cache-Control","no-cache, must-revalidate"],["X-Content-Type-Options","nosniff"],["X-Firefox-Spdy","h2"]],"id":1},{"method":"GET","url":"https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D","requestHeaders":[["Host","idp.externalIDP.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://auth.example.se/"],["DNT","1"]],"get":[["SAMLRequest","fVLbjtowEP2VyO+JCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj/4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk+3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg+cEjco6H9V5OdmXU1VVajL+LLJ16sZ64F51ZG5JSWlNW+gjuCalKwglmGeSjqTIVoO52+CpS/Edxh9W48enh79yagvD+O2kbILpHBbtsZWnzlOof8c5aOrRoYzIti+Teme9sf7r9SEdziRS9/v9Nt9+2O3Fcn7KrPqm4/J/XpDBAEORNjGXr8nz84YfU5nNehuc1b+zuxAb4OsuTog1+XNPVRzBk0XPaUzOhZ+3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu+SS/57o8g8="]],"postData":"","post":[],"saml":"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_37336debaa12b87ec6ea8d6c450d1e145e6aac1b7d\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:33:42Z\" Destination=\"https://idp.externalIDP.se/adfs/ls/\" AssertionConsumerServiceURL=\"https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer>https://sp.example.se/metadata.xml</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/><samlp:Scoping><samlp:RequesterID>https://auth.example.se/</samlp:RequesterID></samlp:Scoping></samlp:AuthnRequest>","responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Cache-Control","no-cache"],["Pragma","no-cache"],["Content-Type","text/html; charset=utf-8"],["Expires","-1"],["Server","Microsoft-IIS/7.5"],["X-AspNet-Version","2.0.50727"],["X-Powered-By","ASP.NET"],["Date","Fri, 14 Jul 2017 15:33:42 GMT"],["Content-Length","4896"]],"id":2},{"method":"GET","url":"https://idp.externalIDP.se/adfs/ls/MasterPages/StyleSheet.css?v=3.0.7","requestHeaders":[["Host","idp.externalIDP.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/css,*/*;q=0.1"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["DNT","1"]],"get":[["v","3.0.7"]],"postData":"","post":[],"saml":null,"responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Content-Type","text/css"],["Last-Modified","Thu, 28 Jan 2016 09:06:00 GMT"],["Accept-Ranges","bytes"],["Etag","\"0cc221bab59d11:0\""],["Server","Microsoft-IIS/7.5"],["X-Powered-By","ASP.NET"],["Date","Fri, 14 Jul 2017 15:33:44 GMT"],["Content-Length","1498"]],"id":3},{"method":"GET","url":"https://idp.externalIDP.se/adfs/ls/WebResource.axd?d=hLEDx2Tre7DJwg7RVHMf_Mf-kgKrW-eAd7AfvUFMBJySShU4Mk6WOorB1WHaj_Bc8TjyF266zjuDR3bE4d28dl24p0g1&t=635588660026805809","requestHeaders":[["Host","idp.externalIDP.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","*/*"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["DNT","1"]],"get":[["d","hLEDx2Tre7DJwg7RVHMf_Mf-kgKrW-eAd7AfvUFMBJySShU4Mk6WOorB1WHaj_Bc8TjyF266zjuDR3bE4d28dl24p0g1"],["t","635588660026805809"]],"postData":"","post":[],"saml":null,"responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Cache-Control","public"],["Content-Type","application/x-javascript"],["Expires","Fri, 13 Jul 2018 00:31:15 GMT"],["Last-Modified","Fri, 06 Feb 2015 23:33:22 GMT"],["Server","Microsoft-IIS/7.5"],["X-AspNet-Version","2.0.50727"],["X-Powered-By","ASP.NET"],["Date","Fri, 14 Jul 2017 15:33:44 GMT"],["Content-Length","20794"]],"id":4},{"method":"GET","url":"https://idp.externalIDP.se/adfs/ls/App_Themes/Default/externalIDP_black.png","requestHeaders":[["Host","idp.externalIDP.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","*/*"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["DNT","1"]],"get":[],"postData":"","post":[],"saml":null,"responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Content-Type","image/png"],["Last-Modified","Thu, 28 Jan 2016 09:06:00 GMT"],["Accept-Ranges","bytes"],["Etag","\"0cc221bab59d11:0\""],["Server","Microsoft-IIS/7.5"],["X-Powered-By","ASP.NET"],["Date","Fri, 14 Jul 2017 15:33:44 GMT"],["Content-Length","5885"]],"id":5},{"method":"GET","url":"https://idp.externalIDP.se/adfs/ls/WebResource.axd?d=ziXa7GMA7S9VWMFHYI4BOssrSGZUdsHLGfFP65zlM0CLjlfYv2xH8xrZK5m26uMiPXM7UXXm1PfUfJ6p6pR1pvXg6PA1&t=635588660026805809","requestHeaders":[["Host","idp.externalIDP.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","*/*"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["DNT","1"]],"get":[["d","ziXa7GMA7S9VWMFHYI4BOssrSGZUdsHLGfFP65zlM0CLjlfYv2xH8xrZK5m26uMiPXM7UXXm1PfUfJ6p6pR1pvXg6PA1"],["t","635588660026805809"]],"postData":"","post":[],"saml":null,"responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Cache-Control","public"],["Content-Type","application/x-javascript"],["Expires","Fri, 13 Jul 2018 00:31:15 GMT"],["Last-Modified","Fri, 06 Feb 2015 23:33:22 GMT"],["Server","Microsoft-IIS/7.5"],["X-AspNet-Version","2.0.50727"],["X-Powered-By","ASP.NET"],["Date","Fri, 14 Jul 2017 15:33:44 GMT"],["Content-Length","3005"]],"id":6},{"method":"POST","url":"https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D","requestHeaders":[["Host","idp.externalIDP.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Content-Type","application/x-www-form-urlencoded"],["Content-Length","418"],["Referer","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["DNT","1"]],"get":[["SAMLRequest","fVLbjtowEP2VyO+JCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj/4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk+3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg+cEjco6H9V5OdmXU1VVajL+LLJ16sZ64F51ZG5JSWlNW+gjuCalKwglmGeSjqTIVoO52+CpS/Edxh9W48enh79yagvD+O2kbILpHBbtsZWnzlOof8c5aOrRoYzIti+Teme9sf7r9SEdziRS9/v9Nt9+2O3Fcn7KrPqm4/J/XpDBAEORNjGXr8nz84YfU5nNehuc1b+zuxAb4OsuTog1+XNPVRzBk0XPaUzOhZ+3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu+SS/57o8g8="]],"postData":"{overwritten}","post":[["{hash:1d4b79a506cbb452b5b94ec2a0485046f413cc05}",""],["__VIEWSTATE","{hash:575f22a5492f2dcfc9d748e5cbb50bda35e9b717}"],["__VIEWSTATEGENERATOR","{hash:02d030b2430340ab5de575b45786c4cd086f2287}"],["{hash:58b3dbd1e597d43bb7e3733b5bddf9be4e02fc98}",""],["{hash:8909580fca04c45715a4c47209db56512d9dcf09}",""],["__EVENTVALIDATION","{hash:cfcc0c88205ec1022c874f29c6e33780fdd39826}"],["__db","{hash:f1abd670358e036c31296e66b3b66c382ac00812}"],["ctl00$ContentPlaceHolder1$UsernameTextBox","{hash:c1b52538f06f45e26b3e7114cb146cd746459670}"],["ctl00$ContentPlaceHolder1$PasswordTextBox","{hash:c8de8794a72690f565d07f1dfbc1abdaba08555d}"],["ctl00$ContentPlaceHolder1$SubmitButton","{hash:f8492cc1deac31fd73c80bbca9ae51f0def25837}"]],"saml":"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_37336debaa12b87ec6ea8d6c450d1e145e6aac1b7d\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:33:42Z\" Destination=\"https://idp.externalIDP.se/adfs/ls/\" AssertionConsumerServiceURL=\"https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer>https://sp.example.se/metadata.xml</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/><samlp:Scoping><samlp:RequesterID>https://auth.example.se/</samlp:RequesterID></samlp:Scoping></samlp:AuthnRequest>","responseStatus":302,"responseStatusText":"Found","responseHeaders":[["Cache-Control","no-cache"],["Pragma","no-cache"],["Content-Type","text/html; charset=utf-8"],["Expires","-1"],["Location","https://idp.externalIDP.se:443/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["Server","Microsoft-IIS/7.5"],["x-xss-protection","0"],["X-AspNet-Version","2.0.50727"],["Set-Cookie","MSISAuth={hash:61d21a0bea1a283d14dccc5d63ffc75c2ac93563}; path={hash:1260429299f7f99a152c5468452709fa56d50560};={hash:e81f971a363b6968df493f9c965f3d2197622d81}; HttpOnly\nMSISAuth1={hash:fd8191f89b3c19fed4d4475d19d196ed4d5babba}; path={hash:1260429299f7f99a152c5468452709fa56d50560};={hash:e81f971a363b6968df493f9c965f3d2197622d81}; HttpOnly\nMSISIPSelectionPersistent={hash:9c9ab49bcb8d9dea32d4afa961d6119b3e1ddcbc}; expires={hash:5f4d9f82ece5a95dce8262ca9f4d1e84c8fb1485}; path={hash:1260429299f7f99a152c5468452709fa56d50560};={hash:e81f971a363b6968df493f9c965f3d2197622d81}; HttpOnly\nMSISAuthenticated={hash:d5ecfa0b6a6c68e72792a2908696db8cc9079ba7}; path={hash:1260429299f7f99a152c5468452709fa56d50560};={hash:e81f971a363b6968df493f9c965f3d2197622d81};={hash:3bdf919e4ad9fa1e4d5a7bc92d744acf61457f3e}"],["X-Powered-By","ASP.NET"],["Date","Fri, 14 Jul 2017 15:33:52 GMT"],["Content-Length","706"]],"id":7},{"method":"GET","url":"https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D","requestHeaders":[["Host","idp.externalIDP.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["Cookie","MSISAuth={hash:61d21a0bea1a283d14dccc5d63ffc75c2ac93563}; MSISAuth1={hash:fd8191f89b3c19fed4d4475d19d196ed4d5babba}; MSISIPSelectionPersistent={hash:9c9ab49bcb8d9dea32d4afa961d6119b3e1ddcbc}; MSISAuthenticated={hash:d5ecfa0b6a6c68e72792a2908696db8cc9079ba7}"],["DNT","1"]],"get":[["SAMLRequest","fVLbjtowEP2VyO+JCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj/4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk+3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg+cEjco6H9V5OdmXU1VVajL+LLJ16sZ64F51ZG5JSWlNW+gjuCalKwglmGeSjqTIVoO52+CpS/Edxh9W48enh79yagvD+O2kbILpHBbtsZWnzlOof8c5aOrRoYzIti+Teme9sf7r9SEdziRS9/v9Nt9+2O3Fcn7KrPqm4/J/XpDBAEORNjGXr8nz84YfU5nNehuc1b+zuxAb4OsuTog1+XNPVRzBk0XPaUzOhZ+3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu+SS/57o8g8="]],"postData":"","post":[],"saml":"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_37336debaa12b87ec6ea8d6c450d1e145e6aac1b7d\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:33:42Z\" Destination=\"https://idp.externalIDP.se/adfs/ls/\" AssertionConsumerServiceURL=\"https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"><saml:Issuer>https://sp.example.se/metadata.xml</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/><samlp:Scoping><samlp:RequesterID>https://auth.example.se/</samlp:RequesterID></samlp:Scoping></samlp:AuthnRequest>","responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Cache-Control","no-cache, no-store"],["Pragma","no-cache"],["Content-Type","text/html; charset=utf-8"],["Expires","-1"],["Server","Microsoft-IIS/7.5"],["X-AspNet-Version","2.0.50727"],["X-Powered-By","ASP.NET"],["Date","Fri, 14 Jul 2017 15:33:52 GMT"],["Content-Length","6416"]],"id":8},{"method":"POST","url":"https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP","requestHeaders":[["Host","sp.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Content-Type","application/x-www-form-urlencoded"],["Content-Length","6015"],["Referer","https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLbjtowEP2VyO%2BJCQGysgCJLlot0naLFtqHvlSDPVusOnbqmfTy9zVhQ3fViifLZ86ZOXOZEzSuVauOj%2F4Jv3dInP1qnCfVBxaii14FIEvKQ4OkWKvd6v2DGhcj1cbAQQcnXkmuK4AII9vgRbZZL8SXqq6qmcEDQDk%2B3NSoZwg3ZqYn05EpsZxMcQagy0NtRPYJIyXlQqRESU7U4cYTg%2BcEjco6H9V5OdmXU1VVajL%2BLLJ16sZ64F51ZG5JSWlNW%2BgjuCalKwglmGeSjqTIVoO52%2BCpS%2FEdxh9W48enh79yagvD%2BO2kbILpHBbtsZWnzlOof8c5aOrRoYzIti%2BTeme9sf7r9SEdziRS9%2Fv9Nt9%2B2O3Fcn7KrPqm4%2FJ%2FXpDBAEORNjGXr8nz84YfU5nNehuc1b%2BzuxAb4OsuTog1%2BXNPVRzBk0XPaUzOhZ%2B3EYFxITh2KORQZKdDm5wP35eDwrhZXzxDurSL67PTt8QBu%2BSS%2F57o8g8%3D"],["Cookie","SimpleSAMLSessionID={hash:ac1384dabded25b8306ac621ccc7fa186226de16}"],["DNT","1"]],"get":[],"postData":"{overwritten}","post":[["SAMLResponse","{hash:e0e6e62e2561aaab810ad66074a8b4c9a431cbcf}"]],"saml":"<samlp:Response ID=\"_4d4cc56a-1ebe-4ca2-bb40-30815a682254\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:33:52.769Z\" Destination=\"https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" InResponseTo=\"_37336debaa12b87ec6ea8d6c450d1e145e6aac1b7d\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://idp.externalIDP.se/adfs/services/trust</Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /><ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\" /><ds:Reference URI=\"#_4d4cc56a-1ebe-4ca2-bb40-30815a682254\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" /><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" /><ds:DigestValue>rrn03N3ZqK+PK/fL/8/JG2SkDzFX1GTN3VwdfMDk8To=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>JxMOsledRShjcJVSdkvQXCJd8tMgphsx1TsuZkDRV9LjxxPxUsFk99KUulVtbST3Mi4kKizFPbqZMoUkBuF6SyW8V6SWsDfh2bER6/hcXlk3Q7BFWXPXI2lSbNwcXyBEQWiCiLx+Z/q1eL66ohWhUQ5W/VpP/93qvs9hqdOjHph0L4SyF/nkh1pgrRIK48FeoyM67DthJPMg19uJ6zNeCf/uEAgVngJSJt5JWYQZMxFNDtoCPfSBW6Rs6OPosWofERUCnwJvnow1PHZoKEClVDGqNZ+zj/InB2K0vo9MIjC+YycsXAkuZ6At+FZHAMIy38gniukxhP3rmv7u88ZhGQ==</ds:SignatureValue><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIH8zCCBtugAwIBAgIQDaNbpG1dZnWHBOxGpbv0rTANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExJzAlBgNVBAMTHlRFUkVOQSBTU0wgSGlnaCBBc3N1cmFuY2UgQ0EgMzAeFw0xNzAxMTcwMDAwMDBaFw0xOTAxMjIxMjAwMDBaMIIBCDEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCU0UxFDASBgNVBAUTCzU1NjQ3OS01NTk4MRowGAYDVQQJExFDaGFsbWVyc3BsYXRzZW4gNDESMBAGA1UEERMJU0UtNDEyIDk2MQswCQYDVQQGEwJTRTEaMBgGA1UECAwRVsOkc3RyYSBHw7Z0YWxhbmQxEjAQBgNVBAcMCUfDtnRlYm9yZzEnMCUGA1UECgweQ2hhbG1lcnMgVGVrbmlza2EgSMO2Z3Nrb2xhIEFCMQwwCgYDVQQLEwNJVEExGDAWBgNVBAMTD2lkcC5jaGFsbWVycy5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALFvAWT7LPS4Gl0ywiMIHcPGzNFqgqtg1NveV5iPnHgTlh+T72kcQ099F2ueXIP0mC5r6Eguy8Hv4sTHajnLPmaRFWgs8VXbIRI+8UdmAeWomJAZbkS9iUbsToii+ShKGrvOoIenCagRbmjp+Sjz571sOZ8D/LQCWguvyQgeXToZXUD63OGsqu/FdOdWQUKcxxu2fAbqpJmdzetQmNVfdXPBulhGvhIDYU/3y2E+wUH45+4TQAYMOvcAuQpdVcuQf35G1IHRVbfnwbiDmIKAbkgAJKyETtNYzzkKEO7Mk7BVrlN8Hr7ny37Y+j6AVYm4SXgwJwOfbfuyZupGoqr1xGkCAwEAAaOCA+owggPmMB8GA1UdIwQYMBaAFMK4hdfhuRO90Ui8/V7cfZBCeoqpMB0GA1UdDgQWBBS6y7/8EjtLFGwWYPrfbZOSIHUdsjAaBgNVHREEEzARgg9pZHAuY2hhbG1lcnMuc2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBhQYDVR0fBH4wfDA8oDqgOIY2aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTEhpZ2hBc3N1cmFuY2VDQTMuY3JsMDygOqA4hjZodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMSGlnaEFzc3VyYW5jZUNBMy5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAgEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBATB7BggrBgEFBQcBAQRvMG0wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBFBggrBgEFBQcwAoY5aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTEhpZ2hBc3N1cmFuY2VDQTMuY3J0MAwGA1UdEwEB/wQCMAAwggH3BgorBgEEAdZ5AgQCBIIB5wSCAeMB4QB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABWaxG10EAAAQDAEgwRgIhAJ8aHnkMZUnmS8b14TxpxJ6bF0D+FyupZHydymr6eiUUAiEAxuc4R2xGwsTpTyiGrzjOhpFp1m8OxCXm6yy8DYnk8K8AdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAVmsRtgtAAAEAwBHMEUCIFKcHShfX2Vx0U6nMdOybcllepBjF/LBXosy+tF7uJ0gAiEAiKWCgJ8xNHsiPrnOjsSbgK/em6CxvJpTm7izwgd5jIwAdwDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVmsRto2AAAEAwBIMEYCIQDgfq25uMuMnrenJ51ZO7iod0XsZtmlYPAXkVMga4xdSQIhAIQmrpUzpznhNfawdvezpjQWlDF8G18HFD0woxX11Do2AHUAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFZrEbX8gAABAMARjBEAiAM8ZPi1tdEYR0RyY8lmlacibWB/jNVvhx6Xk3C+UNqVgIgDNDJu1z9oSB0H3Kn06flyp8sM7/2MbFpYItnoRLgJYgwDQYJKoZIhvcNAQELBQADggEBAE9MAeAKr+x0//3fQrt9lbyrJzEfISNp4g85PGGwVoBZL1LBDAMqLhtpnzVxpXBjQ51w94F2EM/dZVTQRnOjMby13diSqiui8FhGapmVJ6QR+Asw8r2JLQPpwE/isyaSy2JE4nBDZI8zf4uGxYGMu9/TACsGwnz9TO8pWsFgq9K7OgH+zibB3vGjTqZGy6nETbQcuHyZry6RDQM4edU5GNAVWDebpgWlRGfp648tPOaaku10gWwv3eWjOIEF/3SjGJ4/QvoQZD+bTc6kKPIdvI9wr3Hmn4rFA+kR8p3Pq6vwaiZmdEV2v+iKJG0QArS/ZIhQ3ogLOxWoYHNMu/G4K9I=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Responder\" /></samlp:Status></samlp:Response>","responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:33:56 GMT"],["Content-Type","text/html; charset=UTF-8"],["X-Content-Type-Options","nosniff"],["Content-Encoding","gzip"],["X-Firefox-Spdy","h2"]],"id":9},{"method":"POST","url":"https://auth.example.se/login/callback","requestHeaders":[["Host","auth.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Content-Type","application/x-www-form-urlencoded"],["Content-Length","4029"],["Referer","https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP"],["Cookie","connect.sid={hash:71a4a75c6b66eda64ea4b4236e150243384875d8}; SimpleSAMLSessionID={hash:ac1384dabded25b8306ac621ccc7fa186226de16}"],["DNT","1"]],"get":[],"postData":"{overwritten}","post":[["SAMLResponse","{hash:03396045c94aec01a4bd567e8e0df8200927c013}"]],"saml":"<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_56eb681445327288804497956eae393270e7f10d6e\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:33:56Z\" Destination=\"https://auth.example.se/login/callback\" InResponseTo=\"_63b25af7b62651a41516\"><saml:Issuer>https://sp.example.se/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n <ds:Reference URI=\"#_56eb681445327288804497956eae393270e7f10d6e\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>NFj1RkEaEL1wUacwESRvg3YeR7I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>oHE4x4mEd3bkN50OFemXlXdqRTOWOJy/VPcf2M3fXN0lgUSQIdxlqPMKcAaYSWBHef8v4X9Lj0mW6AxFXPbez/YQBbSEiCf4cYuhvHe9RAHknL2zpSzT2ypGZTALagsRmt9ENb4fUGeYJBFk4iRCwoaqOLPFZgSPTo73YtL2P2RIdhcrnZnAlvEFQ7/FTlewKTmC0XHVaf+lmmtwtyNyGGOsi38BH9m+M2YWXfEYYHHpSDcArmSORW8SMVsixsu855aIyY8NNNYT5umKF7fk3XbaU7tpbDO99uK6q/nPugy64Iu4FNIML8nydv4GMWNW0/kRlhdnDOS6OjTyfXXKbQ==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID+zCCAuOgAwIBAgIJAIQN1ObL3C4UMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJTRTEPMA0GA1UECAwGU3dlZGVuMRMwEQYDVQQHDApHb3RoZW5idXJnMR4wHAYDVQQKDBVEYXRhdGVrbm9sb2dzZWt0aW9uZW4xCjAIBgNVBAsMAUQxFDASBgNVBAMMC0hhY2tlaG9sa2VuMRwwGgYJKoZIhvcNAQkBFg1kaGFja0BkdGVrLnNlMB4XDTE3MDIxMDE4MzIyMFoXDTI3MDIxMDE4MzIyMFowgZMxCzAJBgNVBAYTAlNFMQ8wDQYDVQQIDAZTd2VkZW4xEzARBgNVBAcMCkdvdGhlbmJ1cmcxHjAcBgNVBAoMFURhdGF0ZWtub2xvZ3Nla3Rpb25lbjEKMAgGA1UECwwBRDEUMBIGA1UEAwwLSGFja2Vob2xrZW4xHDAaBgkqhkiG9w0BCQEWDWRoYWNrQGR0ZWsuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJqgUDbv7kISt8z5Rbq5zV3KipTHfZZ3oRKGKiHDxM38SF9ndLnBV/rHkSafuvHbTBtKFQMSu3ImolTDIdV8mn1At9GWHuLNijy3J9xRV+92shaVIMsx40SzfIzd8jbxMp9ZamrwwUrMRaivRYDWph8cS3Us99nFNTJ+cTsxQovAxv8VER8F+nFovQ+Xz8uTzcLEnKOp9Fr3hGTS9q+tCJ1F1NGHT0kwWAO9SrK3aUhgwlUM1GcpyN3uz78vnF2nwMzVcMrbHOZcESp9Yz62grKHAhSlPGMnXx1HnpzHgzFrXyL7cpN8yLxeBLRUNlBsut8cm1ueRgOxZhu2LRFevAgMBAAGjUDBOMB0GA1UdDgQWBBTdKjvF0jScRLV7h56kaDjlmQjvEzAfBgNVHSMEGDAWgBTdKjvF0jScRLV7h56kaDjlmQjvEzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCw7bXx72ClaClbSbJP3Vbk8lPpoMupowGy9EG0irV3lQsSingJR5QbKKzK4Jjndd1oflXkBKV6PXJgoFmecmmCFh4OKEmtLnfjOeIWmCV3AJ4XHd+fVS06U+H6oqFgk8WYpANk2qVkNp1FSYTmkp29GwU3NHZRgCHMWa23MtyzBSof46xChjgQxrt7bWRgqtBv2eHVlIwDRjh7CVHo6qpgFvLDUPLQP1tNsu3W+ESlx823THlwzXtijCbwNvx4nRYyIlLtOmmzkYvsLLX6XGLO8aSAB+iRtF/cj+5fmRzSmvMkTwR2hw3y+WiXS+RxWcGjeB9wrE5P9igSFTR4Er2Z</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Responder\"/></samlp:Status></samlp:Response>","responseStatus":500,"responseStatusText":"Internal Server Error","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:33:58 GMT"],["Content-Type","text/html; charset=utf-8"],["Content-Length","940"],["X-Powered-By","Express"],["Content-Security-Policy","default-src 'self'"],["X-Content-Type-Options","nosniff"],["X-Firefox-Spdy","h2"]],"id":10}],"timestamp":1500046485892}This is the SAML tracer log for a successful login:
{"requests":[{"method":"GET","url":"https://auth.example.se/login","requestHeaders":[["Host","auth.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://auth.example.se/"],["Cookie","SimpleSAMLSessionID={hash:5e132596a5f20762f728f124ab5c305bf2908b7d}; SimpleSAMLAuthToken={hash:6bf3576e9e29059634a6dd1d064f61c5a0bdc404}; connect.sid={hash:36ee9745aa0e2619c8d18b92239fd63870366c74}"],["DNT","1"]],"get":[],"postData":"","post":[],"saml":null,"responseStatus":302,"responseStatusText":"Found","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:40:02 GMT"],["Content-Length","0"],["X-Powered-By","Express"],["Location","https://sp.example.se/saml2/idp/SSOService.php?SAMLRequest=nVNNb%2BowEPwrke%2FkA7WP1iJUPFBVpH5EJO3hXZ4ceylWHdv1Oi399zWBIA4tB06Wdsfj2Zn1%2BGbTqOgDHEqjc5LFKbmZjJE1ytJp69d6Ce8toI8CTCPtGjlpnaaGoUSqWQNIPafl9OGeDuOUWme84UaRaDHPyf9LuKrFsM6uWFrXI7b6U68EiV76B8ONAERsYaHRM%2B1DKc1Gg3Q0yC6q7JJepDQNoOH1PxIVe%2Bq%2FUgupX0%2FrqHcgpHdVVQyKp7Ii0RQRnA8Pz4zGtgFXgvuQHJ6X9zlZe2%2BRJgkLY8fCw1uMkCjzKnXCmVI1428kmgcvpGa%2BE9%2FfQHvAbw0aJlLYpCyf9uyxXVuyM5V2o7ojN08PwXrBZPKjvHFyxNrn9hhoFvPCKMm%2Fzsnt1riG%2Bd%2FRWZx1FSkGqw5KoWFSTYVwgBhcVsp8zhwwDznxrgWS9NL22wSi262QgofNWbs1M41lTuI2Btgw7nuDj4lnKvi3hNU5dp%2BEccq31KFchOPTOLFdTeBhsMoxjdY4v4%2FmJz2TXe8XOw7d4%2F83%2BQY%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=TUmyRIYROMn5VMgrWVxXEE9JBDslSeFK52017rnCdWIYkmaY6CA2zBCk6PAQFcSrkwcfXwS4iKZEWbDEwRAxBigT6LOI7SWHlp0ch6U8TGu%2B4ueqAkRkPrwPzWDV4KXR7DS0kdXu5hzbb9w7bNKZ5cqSn%2BGPDB28qsGvGHYSUtUBZ7isb2cKJuqbPSt8%2FJMLoEZ7eEqT38WvjRah6B6bIncpbZPON3WIpfhLoXz%2FElTPZgx1uarDf4mgagGYvnSuox80epqTxUJcrs%2Fs7rCi2GqEB613DgkZs1oSyzMjTrQpmyI1thBhUfBjtBpN5hdn0m0XElad0xsgXTnfRO1ASWFvDtTGDubQP0mKSEjJCIXPGGiZt91wM8XoPLQrW00My0hSwo73b5RrDCFBJi%2BVFKjngaUJZSJM1N25NpClqL%2BdnjfOZ8x50m42JtpHVI5T2Ajvpkoo1ArzRZKV%2FWxyXt4GJHN05bW5LDayykzRIjMY7kNINA4zsJF3TdDOtaoQLoGwoIOlJ5UV07g%2BTenrGd6Qd3A6UJZZR6RrqWYyhBkzu6j7lZdGOt2nrpln%2F5PPT8vYFIucv8ogKc%2BDrMYQESFcXckJq303zEs%2Bgb8Z9u37qPY3vgJcR5gm%2BPSUcI%2F8t9aUvaV41GQonCjMSjkawjDUVcK98uHuX0VwujJmH2Y%3D"],["X-Content-Type-Options","nosniff"],["X-Firefox-Spdy","h2"]],"id":0},{"method":"GET","url":"https://sp.example.se/saml2/idp/SSOService.php?SAMLRequest=nVNNb%2BowEPwrke%2FkA7WP1iJUPFBVpH5EJO3hXZ4ceylWHdv1Oi399zWBIA4tB06Wdsfj2Zn1%2BGbTqOgDHEqjc5LFKbmZjJE1ytJp69d6Ce8toI8CTCPtGjlpnaaGoUSqWQNIPafl9OGeDuOUWme84UaRaDHPyf9LuKrFsM6uWFrXI7b6U68EiV76B8ONAERsYaHRM%2B1DKc1Gg3Q0yC6q7JJepDQNoOH1PxIVe%2Bq%2FUgupX0%2FrqHcgpHdVVQyKp7Ii0RQRnA8Pz4zGtgFXgvuQHJ6X9zlZe2%2BRJgkLY8fCw1uMkCjzKnXCmVI1428kmgcvpGa%2BE9%2FfQHvAbw0aJlLYpCyf9uyxXVuyM5V2o7ojN08PwXrBZPKjvHFyxNrn9hhoFvPCKMm%2Fzsnt1riG%2Bd%2FRWZx1FSkGqw5KoWFSTYVwgBhcVsp8zhwwDznxrgWS9NL22wSi262QgofNWbs1M41lTuI2Btgw7nuDj4lnKvi3hNU5dp%2BEccq31KFchOPTOLFdTeBhsMoxjdY4v4%2FmJz2TXe8XOw7d4%2F83%2BQY%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=TUmyRIYROMn5VMgrWVxXEE9JBDslSeFK52017rnCdWIYkmaY6CA2zBCk6PAQFcSrkwcfXwS4iKZEWbDEwRAxBigT6LOI7SWHlp0ch6U8TGu%2B4ueqAkRkPrwPzWDV4KXR7DS0kdXu5hzbb9w7bNKZ5cqSn%2BGPDB28qsGvGHYSUtUBZ7isb2cKJuqbPSt8%2FJMLoEZ7eEqT38WvjRah6B6bIncpbZPON3WIpfhLoXz%2FElTPZgx1uarDf4mgagGYvnSuox80epqTxUJcrs%2Fs7rCi2GqEB613DgkZs1oSyzMjTrQpmyI1thBhUfBjtBpN5hdn0m0XElad0xsgXTnfRO1ASWFvDtTGDubQP0mKSEjJCIXPGGiZt91wM8XoPLQrW00My0hSwo73b5RrDCFBJi%2BVFKjngaUJZSJM1N25NpClqL%2BdnjfOZ8x50m42JtpHVI5T2Ajvpkoo1ArzRZKV%2FWxyXt4GJHN05bW5LDayykzRIjMY7kNINA4zsJF3TdDOtaoQLoGwoIOlJ5UV07g%2BTenrGd6Qd3A6UJZZR6RrqWYyhBkzu6j7lZdGOt2nrpln%2F5PPT8vYFIucv8ogKc%2BDrMYQESFcXckJq303zEs%2Bgb8Z9u37qPY3vgJcR5gm%2BPSUcI%2F8t9aUvaV41GQonCjMSjkawjDUVcK98uHuX0VwujJmH2Y%3D","requestHeaders":[["Host","sp.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://auth.example.se/"],["Cookie","SimpleSAMLSessionID={hash:5e132596a5f20762f728f124ab5c305bf2908b7d}; SimpleSAMLAuthToken={hash:6bf3576e9e29059634a6dd1d064f61c5a0bdc404}"],["DNT","1"]],"get":[["SAMLRequest","nVNNb+owEPwrke/kA7WP1iJUPFBVpH5EJO3hXZ4ceylWHdv1Oi399zWBIA4tB06Wdsfj2Zn1+GbTqOgDHEqjc5LFKbmZjJE1ytJp69d6Ce8toI8CTCPtGjlpnaaGoUSqWQNIPafl9OGeDuOUWme84UaRaDHPyf9LuKrFsM6uWFrXI7b6U68EiV76B8ONAERsYaHRM+1DKc1Gg3Q0yC6q7JJepDQNoOH1PxIVe+q/UgupX0/rqHcgpHdVVQyKp7Ii0RQRnA8Pz4zGtgFXgvuQHJ6X9zlZe2+RJgkLY8fCw1uMkCjzKnXCmVI1428kmgcvpGa+E9/fQHvAbw0aJlLYpCyf9uyxXVuyM5V2o7ojN08PwXrBZPKjvHFyxNrn9hhoFvPCKMm/zsnt1riG+d/RWZx1FSkGqw5KoWFSTYVwgBhcVsp8zhwwDznxrgWS9NL22wSi262QgofNWbs1M41lTuI2Btgw7nuDj4lnKvi3hNU5dp+Eccq31KFchOPTOLFdTeBhsMoxjdY4v4/mJz2TXe8XOw7d4/83+QY="],["SigAlg","http://www.w3.org/2000/09/xmldsig#rsa-sha1"],["Signature","TUmyRIYROMn5VMgrWVxXEE9JBDslSeFK52017rnCdWIYkmaY6CA2zBCk6PAQFcSrkwcfXwS4iKZEWbDEwRAxBigT6LOI7SWHlp0ch6U8TGu+4ueqAkRkPrwPzWDV4KXR7DS0kdXu5hzbb9w7bNKZ5cqSn+GPDB28qsGvGHYSUtUBZ7isb2cKJuqbPSt8/JMLoEZ7eEqT38WvjRah6B6bIncpbZPON3WIpfhLoXz/ElTPZgx1uarDf4mgagGYvnSuox80epqTxUJcrs/s7rCi2GqEB613DgkZs1oSyzMjTrQpmyI1thBhUfBjtBpN5hdn0m0XElad0xsgXTnfRO1ASWFvDtTGDubQP0mKSEjJCIXPGGiZt91wM8XoPLQrW00My0hSwo73b5RrDCFBJi+VFKjngaUJZSJM1N25NpClqL+dnjfOZ8x50m42JtpHVI5T2Ajvpkoo1ArzRZKV/WxyXt4GJHN05bW5LDayykzRIjMY7kNINA4zsJF3TdDOtaoQLoGwoIOlJ5UV07g+TenrGd6Qd3A6UJZZR6RrqWYyhBkzu6j7lZdGOt2nrpln/5PPT8vYFIucv8ogKc+DrMYQESFcXckJq303zEs+gb8Z9u37qPY3vgJcR5gm+PSUcI/8t9aUvaV41GQonCjMSjkawjDUVcK98uHuX0VwujJmH2Y="]],"postData":"","post":[],"saml":"<?xml version=\"1.0\"?><samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_5e8bd2b18a0bb7af6bfd\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:40:02.029Z\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"https://auth.example.se/login/callback\" Destination=\"https://sp.example.se/saml2/idp/SSOService.php\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">https://auth.example.se/</saml:Issuer><samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\" AllowCreate=\"true\"/><samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\"><saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>","responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:40:02 GMT"],["Content-Type","text/html; charset=UTF-8"],["X-Content-Type-Options","nosniff"],["Content-Encoding","gzip"],["X-Firefox-Spdy","h2"]],"id":1},{"method":"POST","url":"https://auth.example.se/login/callback","requestHeaders":[["Host","auth.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Content-Type","application/x-www-form-urlencoded"],["Content-Length","10103"],["Referer","https://sp.example.se/saml2/idp/SSOService.php?SAMLRequest=nVNNb%2BowEPwrke%2FkA7WP1iJUPFBVpH5EJO3hXZ4ceylWHdv1Oi399zWBIA4tB06Wdsfj2Zn1%2BGbTqOgDHEqjc5LFKbmZjJE1ytJp69d6Ce8toI8CTCPtGjlpnaaGoUSqWQNIPafl9OGeDuOUWme84UaRaDHPyf9LuKrFsM6uWFrXI7b6U68EiV76B8ONAERsYaHRM%2B1DKc1Gg3Q0yC6q7JJepDQNoOH1PxIVe%2Bq%2FUgupX0%2FrqHcgpHdVVQyKp7Ii0RQRnA8Pz4zGtgFXgvuQHJ6X9zlZe2%2BRJgkLY8fCw1uMkCjzKnXCmVI1428kmgcvpGa%2BE9%2FfQHvAbw0aJlLYpCyf9uyxXVuyM5V2o7ojN08PwXrBZPKjvHFyxNrn9hhoFvPCKMm%2Fzsnt1riG%2Bd%2FRWZx1FSkGqw5KoWFSTYVwgBhcVsp8zhwwDznxrgWS9NL22wSi262QgofNWbs1M41lTuI2Btgw7nuDj4lnKvi3hNU5dp%2BEccq31KFchOPTOLFdTeBhsMoxjdY4v4%2FmJz2TXe8XOw7d4%2F83%2BQY%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=TUmyRIYROMn5VMgrWVxXEE9JBDslSeFK52017rnCdWIYkmaY6CA2zBCk6PAQFcSrkwcfXwS4iKZEWbDEwRAxBigT6LOI7SWHlp0ch6U8TGu%2B4ueqAkRkPrwPzWDV4KXR7DS0kdXu5hzbb9w7bNKZ5cqSn%2BGPDB28qsGvGHYSUtUBZ7isb2cKJuqbPSt8%2FJMLoEZ7eEqT38WvjRah6B6bIncpbZPON3WIpfhLoXz%2FElTPZgx1uarDf4mgagGYvnSuox80epqTxUJcrs%2Fs7rCi2GqEB613DgkZs1oSyzMjTrQpmyI1thBhUfBjtBpN5hdn0m0XElad0xsgXTnfRO1ASWFvDtTGDubQP0mKSEjJCIXPGGiZt91wM8XoPLQrW00My0hSwo73b5RrDCFBJi%2BVFKjngaUJZSJM1N25NpClqL%2BdnjfOZ8x50m42JtpHVI5T2Ajvpkoo1ArzRZKV%2FWxyXt4GJHN05bW5LDayykzRIjMY7kNINA4zsJF3TdDOtaoQLoGwoIOlJ5UV07g%2BTenrGd6Qd3A6UJZZR6RrqWYyhBkzu6j7lZdGOt2nrpln%2F5PPT8vYFIucv8ogKc%2BDrMYQESFcXckJq303zEs%2Bgb8Z9u37qPY3vgJcR5gm%2BPSUcI%2F8t9aUvaV41GQonCjMSjkawjDUVcK98uHuX0VwujJmH2Y%3D"],["Cookie","SimpleSAMLSessionID={hash:5e132596a5f20762f728f124ab5c305bf2908b7d}; SimpleSAMLAuthToken={hash:6bf3576e9e29059634a6dd1d064f61c5a0bdc404}; connect.sid={hash:36ee9745aa0e2619c8d18b92239fd63870366c74}"],["DNT","1"]],"get":[],"postData":"{overwritten}","post":[["SAMLResponse","{hash:d83a7cb7214ba7c86d295123cdf9f8382704ea17}"]],"saml":"<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_b5f11dcca819ed7023acffdf2d8c9e626172a5e864\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:40:02Z\" Destination=\"https://auth.example.se/login/callback\" InResponseTo=\"_5e8bd2b18a0bb7af6bfd\"><saml:Issuer>https://sp.example.se/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n <ds:Reference URI=\"#_b5f11dcca819ed7023acffdf2d8c9e626172a5e864\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>kUAV76YFGzR3bCe0bxIkn/VpkZw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Ef/6E5g8KVkPvWkOolPkMN2sf74zbBYwXdJ9wzWcgQEuYW/H6NGHTvTRAB9mXydP98bi7hCv/XDlEw7MyN8lUaSnHeo/UrilDiMNQHLRwcY33oiSfnxcbCAIlMTYIkKh/jRm36YgXMooBXumrajWq8VcklvXviD19y0y2IvSFA1bs8ERP8ZZHHut4GhMIrFBWS/YsorVJmDEgRqoTICSmhLn+R0yX0Ng7jHMpUDswOTIVPdNfC8OmFmvSYMixzijpY1rS+YZY66E8LB5KiRFyUw71W3QL+gS03OP6pnYBiTGCtaBm96v73W64m0rc5g2QrJivhipgzexOEl9dUfbmw==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID+zCCAuOgAwIBAgIJAIQN1ObL3C4UMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJTRTEPMA0GA1UECAwGU3dlZGVuMRMwEQYDVQQHDApHb3RoZW5idXJnMR4wHAYDVQQKDBVEYXRhdGVrbm9sb2dzZWt0aW9uZW4xCjAIBgNVBAsMAUQxFDASBgNVBAMMC0hhY2tlaG9sa2VuMRwwGgYJKoZIhvcNAQkBFg1kaGFja0BkdGVrLnNlMB4XDTE3MDIxMDE4MzIyMFoXDTI3MDIxMDE4MzIyMFowgZMxCzAJBgNVBAYTAlNFMQ8wDQYDVQQIDAZTd2VkZW4xEzARBgNVBAcMCkdvdGhlbmJ1cmcxHjAcBgNVBAoMFURhdGF0ZWtub2xvZ3Nla3Rpb25lbjEKMAgGA1UECwwBRDEUMBIGA1UEAwwLSGFja2Vob2xrZW4xHDAaBgkqhkiG9w0BCQEWDWRoYWNrQGR0ZWsuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJqgUDbv7kISt8z5Rbq5zV3KipTHfZZ3oRKGKiHDxM38SF9ndLnBV/rHkSafuvHbTBtKFQMSu3ImolTDIdV8mn1At9GWHuLNijy3J9xRV+92shaVIMsx40SzfIzd8jbxMp9ZamrwwUrMRaivRYDWph8cS3Us99nFNTJ+cTsxQovAxv8VER8F+nFovQ+Xz8uTzcLEnKOp9Fr3hGTS9q+tCJ1F1NGHT0kwWAO9SrK3aUhgwlUM1GcpyN3uz78vnF2nwMzVcMrbHOZcESp9Yz62grKHAhSlPGMnXx1HnpzHgzFrXyL7cpN8yLxeBLRUNlBsut8cm1ueRgOxZhu2LRFevAgMBAAGjUDBOMB0GA1UdDgQWBBTdKjvF0jScRLV7h56kaDjlmQjvEzAfBgNVHSMEGDAWgBTdKjvF0jScRLV7h56kaDjlmQjvEzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCw7bXx72ClaClbSbJP3Vbk8lPpoMupowGy9EG0irV3lQsSingJR5QbKKzK4Jjndd1oflXkBKV6PXJgoFmecmmCFh4OKEmtLnfjOeIWmCV3AJ4XHd+fVS06U+H6oqFgk8WYpANk2qVkNp1FSYTmkp29GwU3NHZRgCHMWa23MtyzBSof46xChjgQxrt7bWRgqtBv2eHVlIwDRjh7CVHo6qpgFvLDUPLQP1tNsu3W+ESlx823THlwzXtijCbwNvx4nRYyIlLtOmmzkYvsLLX6XGLO8aSAB+iRtF/cj+5fmRzSmvMkTwR2hw3y+WiXS+RxWcGjeB9wrE5P9igSFTR4Er2Z</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><saml:Assertion xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" ID=\"_31bd7369336f057fafdd04f3702673699450729508\" Version=\"2.0\" IssueInstant=\"2017-07-14T15:40:02Z\"><saml:Issuer>https://sp.example.se/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n <ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/>\n <ds:Reference URI=\"#_31bd7369336f057fafdd04f3702673699450729508\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>BtOGdyx3y1w94A8BTQ5IUvccrgk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>GbpHaBIdteUc4euc7GU+PteqqZ/89FbAXVoF0Vg4Kiq5oLB3rIty0QqlnmLrBnA/1EUMyBrYj0dXUFGcQp+RjJ+xmqO343/23Q+44FMac65+h8ihFr48o4v1OSJtjh3Qyhi/URnWUyHnC4vPsg86zNJnyhqZ+BkP1aOKYmnH6r1vLBiuqbqmKLyv/N9P+osAKEU6e5r1nUGY8PP2h4201Um3sezfBvUt7+QBTFtQqUkzMnAKQYcU/w/xq6byXI7kt6DksjxF/bnWbp41PdJrr8DocebRozpZTpNOsZ6gZm+xdCTd1DnfVDITqOfPSoOhGvg2VAmGsqsenK8Rfwl5Bw==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIID+zCCAuOgAwIBAgIJAIQN1ObL3C4UMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJTRTEPMA0GA1UECAwGU3dlZGVuMRMwEQYDVQQHDApHb3RoZW5idXJnMR4wHAYDVQQKDBVEYXRhdGVrbm9sb2dzZWt0aW9uZW4xCjAIBgNVBAsMAUQxFDASBgNVBAMMC0hhY2tlaG9sa2VuMRwwGgYJKoZIhvcNAQkBFg1kaGFja0BkdGVrLnNlMB4XDTE3MDIxMDE4MzIyMFoXDTI3MDIxMDE4MzIyMFowgZMxCzAJBgNVBAYTAlNFMQ8wDQYDVQQIDAZTd2VkZW4xEzARBgNVBAcMCkdvdGhlbmJ1cmcxHjAcBgNVBAoMFURhdGF0ZWtub2xvZ3Nla3Rpb25lbjEKMAgGA1UECwwBRDEUMBIGA1UEAwwLSGFja2Vob2xrZW4xHDAaBgkqhkiG9w0BCQEWDWRoYWNrQGR0ZWsuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJqgUDbv7kISt8z5Rbq5zV3KipTHfZZ3oRKGKiHDxM38SF9ndLnBV/rHkSafuvHbTBtKFQMSu3ImolTDIdV8mn1At9GWHuLNijy3J9xRV+92shaVIMsx40SzfIzd8jbxMp9ZamrwwUrMRaivRYDWph8cS3Us99nFNTJ+cTsxQovAxv8VER8F+nFovQ+Xz8uTzcLEnKOp9Fr3hGTS9q+tCJ1F1NGHT0kwWAO9SrK3aUhgwlUM1GcpyN3uz78vnF2nwMzVcMrbHOZcESp9Yz62grKHAhSlPGMnXx1HnpzHgzFrXyL7cpN8yLxeBLRUNlBsut8cm1ueRgOxZhu2LRFevAgMBAAGjUDBOMB0GA1UdDgQWBBTdKjvF0jScRLV7h56kaDjlmQjvEzAfBgNVHSMEGDAWgBTdKjvF0jScRLV7h56kaDjlmQjvEzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCw7bXx72ClaClbSbJP3Vbk8lPpoMupowGy9EG0irV3lQsSingJR5QbKKzK4Jjndd1oflXkBKV6PXJgoFmecmmCFh4OKEmtLnfjOeIWmCV3AJ4XHd+fVS06U+H6oqFgk8WYpANk2qVkNp1FSYTmkp29GwU3NHZRgCHMWa23MtyzBSof46xChjgQxrt7bWRgqtBv2eHVlIwDRjh7CVHo6qpgFvLDUPLQP1tNsu3W+ESlx823THlwzXtijCbwNvx4nRYyIlLtOmmzkYvsLLX6XGLO8aSAB+iRtF/cj+5fmRzSmvMkTwR2hw3y+WiXS+RxWcGjeB9wrE5P9igSFTR4Er2Z</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier=\"https://auth.example.se/\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\">_569d0b3df602f307d3ec2020f23526586005facb80</saml:NameID><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><saml:SubjectConfirmationData NotOnOrAfter=\"2017-07-14T15:45:02Z\" Recipient=\"https://auth.example.se/login/callback\" InResponseTo=\"_5e8bd2b18a0bb7af6bfd\"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\"2017-07-14T15:39:32Z\" NotOnOrAfter=\"2017-07-14T15:45:02Z\"><saml:AudienceRestriction><saml:Audience>https://auth.example.se/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\"2017-07-14T15:39:43Z\" SessionNotOnOrAfter=\"2017-07-14T23:39:43Z\" SessionIndex=\"_94e7b1b4e8780842f20acd66ceea33e375a22030e9\"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef><saml:AuthenticatingAuthority>http://idp.externalIDP.se/adfs/services/trust</saml:AuthenticatingAuthority></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name=\"fullname\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml:AttributeValue xsi:type=\"xs:string\">Emil Hemdal</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\"username\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml:AttributeValue xsi:type=\"xs:string\">heemil</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\"urn:oid:0.9.2342.19200300.100.1.3\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml:AttributeValue xsi:type=\"xs:string\">hee...@student.externalIDP.se</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>","responseStatus":302,"responseStatusText":"Found","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:40:04 GMT"],["Content-Type","text/html; charset=utf-8"],["Content-Length","46"],["X-Powered-By","Express"],["Location","/"],["Vary","Accept"],["X-Content-Type-Options","nosniff"],["X-Firefox-Spdy","h2"]],"id":2},{"method":"GET","url":"https://auth.example.se/","requestHeaders":[["Host","auth.example.se"],["User-Agent","Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"],["Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],["Accept-Language","en-US,en;q=0.5"],["Accept-Encoding","gzip, deflate, br"],["Referer","https://sp.example.se/saml2/idp/SSOService.php?SAMLRequest=nVNNb%2BowEPwrke%2FkA7WP1iJUPFBVpH5EJO3hXZ4ceylWHdv1Oi399zWBIA4tB06Wdsfj2Zn1%2BGbTqOgDHEqjc5LFKbmZjJE1ytJp69d6Ce8toI8CTCPtGjlpnaaGoUSqWQNIPafl9OGeDuOUWme84UaRaDHPyf9LuKrFsM6uWFrXI7b6U68EiV76B8ONAERsYaHRM%2B1DKc1Gg3Q0yC6q7JJepDQNoOH1PxIVe%2Bq%2FUgupX0%2FrqHcgpHdVVQyKp7Ii0RQRnA8Pz4zGtgFXgvuQHJ6X9zlZe2%2BRJgkLY8fCw1uMkCjzKnXCmVI1428kmgcvpGa%2BE9%2FfQHvAbw0aJlLYpCyf9uyxXVuyM5V2o7ojN08PwXrBZPKjvHFyxNrn9hhoFvPCKMm%2Fzsnt1riG%2Bd%2FRWZx1FSkGqw5KoWFSTYVwgBhcVsp8zhwwDznxrgWS9NL22wSi262QgofNWbs1M41lTuI2Btgw7nuDj4lnKvi3hNU5dp%2BEccq31KFchOPTOLFdTeBhsMoxjdY4v4%2FmJz2TXe8XOw7d4%2F83%2BQY%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=TUmyRIYROMn5VMgrWVxXEE9JBDslSeFK52017rnCdWIYkmaY6CA2zBCk6PAQFcSrkwcfXwS4iKZEWbDEwRAxBigT6LOI7SWHlp0ch6U8TGu%2B4ueqAkRkPrwPzWDV4KXR7DS0kdXu5hzbb9w7bNKZ5cqSn%2BGPDB28qsGvGHYSUtUBZ7isb2cKJuqbPSt8%2FJMLoEZ7eEqT38WvjRah6B6bIncpbZPON3WIpfhLoXz%2FElTPZgx1uarDf4mgagGYvnSuox80epqTxUJcrs%2Fs7rCi2GqEB613DgkZs1oSyzMjTrQpmyI1thBhUfBjtBpN5hdn0m0XElad0xsgXTnfRO1ASWFvDtTGDubQP0mKSEjJCIXPGGiZt91wM8XoPLQrW00My0hSwo73b5RrDCFBJi%2BVFKjngaUJZSJM1N25NpClqL%2BdnjfOZ8x50m42JtpHVI5T2Ajvpkoo1ArzRZKV%2FWxyXt4GJHN05bW5LDayykzRIjMY7kNINA4zsJF3TdDOtaoQLoGwoIOlJ5UV07g%2BTenrGd6Qd3A6UJZZR6RrqWYyhBkzu6j7lZdGOt2nrpln%2F5PPT8vYFIucv8ogKc%2BDrMYQESFcXckJq303zEs%2Bgb8Z9u37qPY3vgJcR5gm%2BPSUcI%2F8t9aUvaV41GQonCjMSjkawjDUVcK98uHuX0VwujJmH2Y%3D"],["Cookie","SimpleSAMLSessionID={hash:5e132596a5f20762f728f124ab5c305bf2908b7d}; SimpleSAMLAuthToken={hash:6bf3576e9e29059634a6dd1d064f61c5a0bdc404}; connect.sid={hash:36ee9745aa0e2619c8d18b92239fd63870366c74}"],["DNT","1"]],"get":[],"postData":"","post":[],"saml":null,"responseStatus":200,"responseStatusText":"OK","responseHeaders":[["Server","nginx/1.10.3"],["Date","Fri, 14 Jul 2017 15:40:07 GMT"],["Content-Type","text/html; charset=utf-8"],["X-Powered-By","Express"],["Etag","W/\"1a4-eD7KGg/WnYf5sd2zKgeu8ZqJ8OM\""],["X-Content-Type-Options","nosniff"],["Content-Encoding","gzip"],["X-Firefox-Spdy","h2"]],"id":3}],"timestamp":1500046830621}Why can't I sign in regulary?
Jaime Perez Crespo
Jul 18, 2017, 2:51:44 AM7/18/17
to SimpleSAMLphp
Hi,
On 14 Jul 2017, at 17:49 PM, emil.he...@gmail.com wrote:
> We have a working SimpleSAMLphp SP setup talking to a IdP and successfully logging them into our MediaWiki. (MediaWiki -> SP -> IdP) You can also login with the "Test configured authentication sources". (SP -> IdP)
>
> What we've been trying to do now is to make SimpleSAMLphp act as a IdP, bridging our Node.js app. (Node.js SP -> SimpleSAMLphp-IdP -> IdP)
Why? You already have an IdP (the one you authenticate against in your SP), so why not using that?
Not saying that what you are trying to accomplish can’t be done, just that I don’t understand why you are trying to make an SP behave as a proxy in this case, as it is clearly making things more difficult for you.
> This only work if you have signed in before from MediaWiki or the "Test configured authentication sources". If you haven't signed in with them it will fail when the Node.js app receives the response from SimpleSAMLphp-IdP.
>
> This is the SAMLresponse when already signed in (via MediaWiki or the "Test configured authentication sources"):
> […]
> saml20-idp-hosted.php:
> <?php
> $metadata['__DYNAMIC:1__'] = array(
> […]
In any case, this is probably wrong. If you want to use your SimpleSAMLphp instance as a proxy, the authentication source defined for the IdP part must be the SP part, that is, a SAML SP. Since you didn’t include the contents of your authsources.php, we can’t tell for sure what’s going on. However, looking at the output from SAML tracer for the failed, case, it looks like the original IdP sends the SAML response to this URL:
> Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP”
That would mean the "saml:SP” authsource in your authsources.php is named “externalIDP”, and not “external” as in your saml20-idp-hosted.php file. They both should match.
> […]
This is not a valid configuration option for SAML remote SPs. How did you generate this? Metarefresh is supposed to remove that from the output...
> […]
>
> saml20-idp-remote.php:
> […]
“responseStatus”:500
“Internal Server Error”
Clearly something’s wrong in the server, so you need to take a look at the logs.
> This is the SAML tracer log for a successful login:
> […]
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 14 Jul 2017, at 17:49 PM, emil.he...@gmail.com wrote:
> We have a working SimpleSAMLphp SP setup talking to a IdP and successfully logging them into our MediaWiki. (MediaWiki -> SP -> IdP) You can also login with the "Test configured authentication sources". (SP -> IdP)
>
> What we've been trying to do now is to make SimpleSAMLphp act as a IdP, bridging our Node.js app. (Node.js SP -> SimpleSAMLphp-IdP -> IdP)
Not saying that what you are trying to accomplish can’t be done, just that I don’t understand why you are trying to make an SP behave as a proxy in this case, as it is clearly making things more difficult for you.
> This only work if you have signed in before from MediaWiki or the "Test configured authentication sources". If you haven't signed in with them it will fail when the Node.js app receives the response from SimpleSAMLphp-IdP.
>
> This is the SAMLresponse when already signed in (via MediaWiki or the "Test configured authentication sources"):
>
> This is the SAMLresponse when not signed in:
> […]
> This is the SAMLresponse when not signed in:
> […]
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
> </samlp:Status>
> </samlp:Response>
This looks like an error, and I say “looks like” because there’s no information at all, which is weird. You’ll need to have a look into your log files.
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
> </samlp:Status>
> </samlp:Response>
> saml20-idp-hosted.php:
> <?php
> $metadata['__DYNAMIC:1__'] = array(
> /*
> * The authentication source which should be used to authenticate the
> * user. This must match one of the entries in config/authsources.php.
> */
> 'auth' => 'external’,
You didn’t include your authsources.php.
> * The authentication source which should be used to authenticate the
> * user. This must match one of the entries in config/authsources.php.
> */
> 'auth' => 'external’,
In any case, this is probably wrong. If you want to use your SimpleSAMLphp instance as a proxy, the authentication source defined for the IdP part must be the SP part, that is, a SAML SP. Since you didn’t include the contents of your authsources.php, we can’t tell for sure what’s going on. However, looking at the output from SAML tracer for the failed, case, it looks like the original IdP sends the SAML response to this URL:
> Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP”
That would mean the "saml:SP” authsource in your authsources.php is named “externalIDP”, and not “external” as in your saml20-idp-hosted.php file. They both should match.
> […]
>
> saml20-sp-remote.php:
> <?php
> /* This file was generated by the metarefresh module at 2017-07-14T15:01:05Z
> Do not update it manually as it will get overwritten
> */
>
> $metadata['https://auth.example.se/'] = array (
> 'entityid' => 'https://auth.example.se/',
> 'entityDescriptor' => 'PG1kOkVu…',
> saml20-sp-remote.php:
> <?php
> /* This file was generated by the metarefresh module at 2017-07-14T15:01:05Z
> Do not update it manually as it will get overwritten
> */
>
> $metadata['https://auth.example.se/'] = array (
> 'entityid' => 'https://auth.example.se/',
This is not a valid configuration option for SAML remote SPs. How did you generate this? Metarefresh is supposed to remove that from the output...
> […]
>
> This is the metadata.xml for the above:
> […]
> This is the metadata.xml for the above:
>
> saml20-idp-remote.php:
> […]
>
>
> This is the SAML tracer log for a failed login (when not logged in via MediaWiki nor "Test configured authentication sources"):
> […]<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Responder\"/></samlp:Status></samlp:Response>","responseStatus":500,"responseStatusText":"Internal Server Error”,[…]
>
> This is the SAML tracer log for a failed login (when not logged in via MediaWiki nor "Test configured authentication sources"):
“responseStatus”:500
“Internal Server Error”
Clearly something’s wrong in the server, so you need to take a look at the logs.
> This is the SAML tracer log for a successful login:
>
> Why can't I sign in regulary?
The only way to find out is to look at the logs ;-)
> Why can't I sign in regulary?
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
emil.he...@gmail.com
Jul 18, 2017, 4:33:58 AM7/18/17
to SimpleSAMLphp
Hi,
Why? You already have an IdP (the one you authenticate against in your SP), so why not using that?
The organization that we're trying to identify against want it this way unfortunately.
This looks like an error, and I say “looks like” because there’s no information at all, which is weird. You’ll need to have a look into your log files.
Here are the logs from trying to login via the Node app -> our IDP/SP -> external IDP:
Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] Session: 'external' not valid because we are not authenticated.Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] Saved state: '_e03114e7603ed21bb9024c24769bda51d6bde63448'Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] Sending SAML 2 AuthnRequest to 'http://idp.externalIDP.se/adfs/services/trust'Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] Sending message:Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e03114e7603ed21bb9024c24769bda51d6bde63448" Version="2.0" IssueInstant="2017-07-18T08:02:05Z" Destination="https://idp.externalIDP.se/adfs/ls/" AssertionConsumerServiceURL="https://sp.example.se/module.php/saml/sp/saml2-acs.php/external" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <saml:Issuer>https://sp.example.se/metadata.xml</saml:Issuer>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Scoping>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <samlp:RequesterID>https://auth.example.se/</samlp:RequesterID>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Scoping>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] </samlp:AuthnRequest>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] Redirect to 569 byte URL: https://idp.externalIDP.se/adfs/ls/?SAMLRequest=fVLLbtswEPwVgXeJlKzYDmEbcGMUNZA0Ruzk0EtBiZuaKEUq3FWb%2FH1oOXJSpPCJ4OzM7uxjhqqxrVx2tHd38NQBUvLcWIeyD8xZF5z0Cg1KpxpASbXcLm%2BuZZEJ2QZPvvaWfZCcVyhECGS8Y8l6NWc%2FQYzyvITJWIxAF3lVXYqirItyMr6stLrI9bjSMB6V5ZQlDxAwKucsJopyxA7WDkk5ipDIJ6mYpPl0J6ZSFFJc%2FGDJKnZjnKJetSdqUXJudJvVe2WbmC5D4Eo%2FIrfIWbIczF15h12MbyH8MTXc312%2Fy7HNNMHvg7LxurOQtfuWHzqPof4tUlVjjw5lWLJ5m9QX47Rxv84PqTqSUH7b7Tbp5na7Y4vZIbPsmw6L%2F3kBUlqRyuImZvwjeXbc8PdYZr3aeGvql%2BSrD42i8y4OiNHpY0%2BVFJRDA47imKz1f68CKII5o9AB40ORbe3b6Hz4vh0UhPXq5FnFSzu5Pjr9lzhgp1z884kuXgE%3Darray ()Jul 18 10:02:05 simplesamlphp INFO [9bfd54c5d3] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOServiceJul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] Received message:Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f5874c21baad5bab50c4" Version="2.0" IssueInstant="2017-07-18T08:02:05.938Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://auth.example.se/login/callback" Destination="https://sp.example.se/saml2/idp/SSOService.php">Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://auth.example.se/</saml:Issuer>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] </samlp:RequestedAuthnContext>Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] </samlp:AuthnRequest>Jul 18 10:02:05 simplesamlphp INFO [9bfd54c5d3] SAML2.0 - IdP.SSOService: incoming authentication request: 'https://auth.example.se/'Jul 18 10:02:05 simplesamlphp DEBUG [9bfd54c5d3] saving key simpleSAMLphp.session.09be71fc34c9f9fa79a8a7c3abc3467c to memcacheJul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] Loading state: '_e03114e7603ed21bb9024c24769bda51d6bde63448'Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] Received SAML2 Response from 'http://idp.externalIDP.se/adfs/services/trust'.Jul 18 10:02:12 simplesamlphp WARNING [9bfd54c5d3] Returning error to sp: 'https://auth.example.se/'Jul 18 10:02:12 simplesamlphp WARNING [9bfd54c5d3] sspmod_saml_Error: ResponderJul 18 10:02:12 simplesamlphp WARNING [9bfd54c5d3] Backtrace:Jul 18 10:02:12 simplesamlphp WARNING [9bfd54c5d3] 3 /usr/share/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)Jul 18 10:02:12 simplesamlphp WARNING [9bfd54c5d3] 2 /usr/share/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)Jul 18 10:02:12 simplesamlphp WARNING [9bfd54c5d3] 1 /usr/share/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)Jul 18 10:02:12 simplesamlphp WARNING [9bfd54c5d3] 0 /usr/share/simplesamlphp/www/module.php:137 (N/A)Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] Sending message:Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_54d4dc485389d9cae7cc6fcc518f752605606f7ca8" Version="2.0" IssueInstant="2017-07-18T08:02:12Z" Destination="https://auth.example.se/login/callback" InResponseTo="_f5874c21baad5bab50c4">Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <saml:Issuer>https://sp.example.se/saml2/idp/metadata.php</saml:Issuer>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:SignedInfo>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Reference URI="#_54d4dc485389d9cae7cc6fcc518f752605606f7ca8">Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Transforms>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:Transforms>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:DigestValue>D3o1fp198HGYoZa8k8tVdlctKNs=</ds:DigestValue>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:Reference>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:SignedInfo>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:SignatureValue>TwFMozMU8hbPm...</ds:SignatureValue>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:KeyInfo>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:X509Data>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:X509Certificate>MIID+zCCAu...</ds:X509Certificate>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:X509Data>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:KeyInfo>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:Signature>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Status>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Status>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Response>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] Received message:Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_2bf69548-b8ae-4670-a706-a91b26502725" Version="2.0" IssueInstant="2017-07-18T08:02:12.492Z" Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/external" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e03114e7603ed21bb9024c24769bda51d6bde63448">Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.externalIDP.se/adfs/services/trust</Issuer>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:SignedInfo>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Reference URI="#_2bf69548-b8ae-4670-a706-a91b26502725">Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Transforms>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:Transforms>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:DigestValue>5mR02bJ4RM2KlR2B8vuUySw0/V1roatbni30r9VdUl0=</ds:DigestValue>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:Reference>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:SignedInfo>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:SignatureValue>q5VSVhu43...</ds:SignatureValue>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:X509Data>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <ds:X509Certificate>MIIH8zCCBtugAwI...</ds:X509Certificate>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:X509Data>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </KeyInfo>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </ds:Signature>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Status>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Status>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Response>Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] loading key simpleSAMLphp.session.09be71fc34c9f9fa79a8a7c3abc3467c from memcache
You didn’t include your authsources.php.
<?php
$config = array( 'external' => array( 'saml:SP',
// The entity ID of this SP. 'entityID' => 'https://sp.example.se/metadata.xml',
// The entity ID of the IdP this should SP should contact. 'idp' => 'http://idp.externalIDP.se/adfs/services/trust',
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
//Metadata sign keys 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt',
'OrganizationName' => array( 'sv' => 'XYZ', 'en' => 'XYZ', ),
'OrganizationURL' => array( 'sv' => 'https://example.se', 'en' => 'https://example.se', ),
//Attribute proccessing 'authproc' => array( //Pretty attribute renaming. 10 => array( 'class' => 'core:AttributeMap', 'urn:oid:2.16.840.1.113730.3.1.241' => 'fullname', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'username', ), //Removes domain from username 20 => array( 'class' => 'core:AttributeAlter', 'subject' => 'username', 'pattern' => '/@externalIDP\.se$/', 'replacement' => '', ), //Concats id and student.externalIDP.se to create mail. 30 => array( 'class' => 'core:AttributeAlter', 'subject' => 'username', 'pattern' => '/$/', 'replacement' => '@student.externalIDP.se', 'target' => 'mail', ), ), ),);In any case, this is probably wrong. If you want to use your SimpleSAMLphp instance as a proxy, the authentication source defined for the IdP part must be the SP part, that is, a SAML SP. Since you didn’t include the contents of your authsources.php, we can’t tell for sure what’s going on. However, looking at the output from SAML tracer for the failed, case, it looks like the original IdP sends the SAML response to this URL:
> Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP”
That would mean the "saml:SP” authsource in your authsources.php is named “externalIDP”, and not “external” as in your saml20-idp-hosted.php file. They both should match.
It's probably a typo when I did a search and replace.
This is not a valid configuration option for SAML remote SPs. How did you generate this? Metarefresh is supposed to remove that from the output...
Metarefresh generated it. config-metarefresh.php:
<?php
$config = array(
'sets' => array(
'swamid' => array( 'cron' => array('hourly'), 'sources' => array( array( 'whitelist' => array( ),
'conditionalGET' => TRUE, 'src' => 'https://mds.swamid.se/md/swamid-idp.xml', ), ), 'expireAfter' => 60*60*24*4, 'outputDir' => '/etc/simplesamlphp/metadata/swamid/', 'outputFormat' => 'flatfile', ), 'example' => array( 'cron' => array('hourly'), 'sources' => array( array( 'whitelist' => array( ), 'conditionalGET' => FALSE, 'src' => 'https://auth.example.se/metadata.xml', ), ), 'expireAfter' => 60*60*24*4, 'outputDir' => '/etc/simplesamlphp/metadata/example/', 'outputFormat' => 'flatfile', ), ),);
Thank you so much for helping out on this one! :)
Regards,
Emil Hemdal
Jaime Perez Crespo
Jul 18, 2017, 5:15:07 AM7/18/17
to simple...@googlegroups.com
Hi again Emil,
On 18 Jul 2017, at 10:33 AM, emil.he...@gmail.com wrote:
> Hi,
>
>> Why? You already have an IdP (the one you authenticate against in your SP), so why not using that?
>
> The organization that we're trying to identify against want it this way unfortunately.
Why? I mean, I’m just trying to understand here. I guess that organization is whoever runs the ADFS IdP, right? Why would they want you to complicate your setup like this?
> […]
In any case, the error is coming from the IdP, SimpleSAMLphp is just forwarding it to your Node.js app, so you’ll have to ask them for help to see why they are responding like that.
On 18 Jul 2017, at 10:33 AM, emil.he...@gmail.com wrote:
> Hi,
>
>> Why? You already have an IdP (the one you authenticate against in your SP), so why not using that?
>
> The organization that we're trying to identify against want it this way unfortunately.
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Status>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder”/>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Status>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Response>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] Received message:
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_2bf69548-b8ae-4670-a706-a91b26502725" Version="2.0" IssueInstant="2017-07-18T08:02:12.492Z" Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/external" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e03114e7603ed21bb9024c24769bda51d6bde63448">
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.externalIDP.se/adfs/services/trust</Issuer>
> […]
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Status>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Status>
So this is where the weird response we saw before is coming from. I thought indeed that couldn’t be SimpleSAMLphp itself, so this makes sense. You need to ask the IdP why they are replying like this.
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder”/>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Status>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Response>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] Received message:
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_2bf69548-b8ae-4670-a706-a91b26502725" Version="2.0" IssueInstant="2017-07-18T08:02:12.492Z" Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/external" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e03114e7603ed21bb9024c24769bda51d6bde63448">
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.externalIDP.se/adfs/services/trust</Issuer>
> […]
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:Status>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
> Jul 18 10:02:12 simplesamlphp DEBUG [9bfd54c5d3] </samlp:Status>
> […]
>
>> In any case, this is probably wrong. If you want to use your SimpleSAMLphp instance as a proxy, the authentication source defined for the IdP part must be the SP part, that is, a SAML SP. Since you didn’t include the contents of your authsources.php, we can’t tell for sure what’s going on. However, looking at the output from SAML tracer for the failed, case, it looks like the original IdP sends the SAML response to this URL:
>>
>>> Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP”
>>
>> That would mean the "saml:SP” authsource in your authsources.php is named “externalIDP”, and not “external” as in your saml20-idp-hosted.php file. They both should match.
>
> It's probably a typo when I did a search and replace.
Ok, so just to confirm. In your saml20-idp-hosted.php, in the “auth” configuration option, you have “external” (matching your auth sources), and then that “externalIDP” in the Destination URL was a typo while anonymizing logs, right?
>> In any case, this is probably wrong. If you want to use your SimpleSAMLphp instance as a proxy, the authentication source defined for the IdP part must be the SP part, that is, a SAML SP. Since you didn’t include the contents of your authsources.php, we can’t tell for sure what’s going on. However, looking at the output from SAML tracer for the failed, case, it looks like the original IdP sends the SAML response to this URL:
>>
>>> Destination="https://sp.example.se/module.php/saml/sp/saml2-acs.php/externalIDP”
>>
>> That would mean the "saml:SP” authsource in your authsources.php is named “externalIDP”, and not “external” as in your saml20-idp-hosted.php file. They both should match.
>
> It's probably a typo when I did a search and replace.
In any case, the error is coming from the IdP, SimpleSAMLphp is just forwarding it to your Node.js app, so you’ll have to ask them for help to see why they are responding like that.
emil.he...@gmail.com
Jul 18, 2017, 5:42:06 AM7/18/17
to SimpleSAMLphp
Hi,
Why? I mean, I’m just trying to understand here. I guess that organization is whoever runs the ADFS IdP, right? Why would they want you to complicate your setup like this?
I'm going to push the question unless they fix the response. They are the organization running the ADFS IdP.
So this is where the weird response we saw before is coming from. I thought indeed that couldn’t be SimpleSAMLphp itself, so this makes sense. You need to ask the IdP why they are replying like this.
I'm asking them! :)
Ok, so just to confirm. In your saml20-idp-hosted.php, in the “auth” configuration option, you have “external” (matching your auth sources), and then that “externalIDP” in the Destination URL was a typo while anonymizing logs, right?
Yes, they match.
In any case, the error is coming from the IdP, SimpleSAMLphp is just forwarding it to your Node.js app, so you’ll have to ask them for help to see why they are responding like that.
On it! :)
Thank you so much for your help pointing out where the issue could be.
Regards,
Emil Hemdal
emil.he...@gmail.com
Jul 18, 2017, 7:14:19 AM7/18/17
to SimpleSAMLphp, emil.he...@gmail.com
They responded that they don't support something that they call Scoping and that's why it won't work.
So my new question is, how does our MediaWiki authenticate via our SP? Can we make a Node.js app do the same without needing an IdP?
Regards,
Emil Hemdal
Tim van Dijen
Jul 18, 2017, 7:35:56 AM7/18/17
to SimpleSAMLphp, emil.he...@gmail.com
Reply all
Reply to author
Forward
0 new messages