Unable to do a basic setup, keep hitting road blocks

23 views
Skip to first unread message

eric gandt

unread,
Jul 28, 2025, 3:33:17 AMJul 28
to SimpleSAMLphp
Want I want is a simply SAML2.0 setup, where default-sp uses the example-userpass for logins such that I can use it development, seems simply, but I've had zero luck.

Even simply testing via the UI, the 'default-sp' source dopes not work.

Test Authentication Sources
  admin
  example-userpass
  default-sp

the first 2 are fine, but the third one always fails.  On my 4th or 5th complete redo and I'm stuck.  Searching is not finding any explanation (or any good helpful one) either. 
admin and example-userpass both work as expected.

SimpleSAML\Error\MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => 'v2-2350161.unknown.co')
Backtrace:
6 src/SimpleSAML/Metadata/MetaDataStorageHandler.php:331 (SimpleSAML\Metadata\MetaDataStorageHandler::getMetaData)
5 src/SimpleSAML/Metadata/MetaDataStorageHandler.php:348 (SimpleSAML\Metadata\MetaDataStorageHandler::getMetaDataConfig)
4 modules/saml/src/IdP/SAML2.php:411 (SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest)
3 [builtin] (call_user_func_array)
2 src/SimpleSAML/HTTP/RunnableResponse.php:68 (SimpleSAML\HTTP\RunnableResponse::sendContent)
1 vendor/symfony/http-foundation/Response.php:423 (Symfony\Component\HttpFoundation\Response::send)
0 public/saml2/idp/SSOService.php:30 (N/A)

I'm confused  as to why this is showing IO have a entityID defined named: ' v2-2350161.unknown.co', I'm unsure what file it is even coming from, as ' v2-2350161.unknown.co' is defined in the  config/authsources.php and maps to entities in both saml20-idp-remote.php and saml20-idp-hosted.php.  saml20-sp-remote.php is empty as that seems to be what the samples all do (which seems odd).

My configures are:
# cat config/authsources.php
<?php

$config = array(
    'admin' => [
        'core:AdminPassword',
    ],
    'example-userpass' => [
        ......  <removed for size>  .....
    ],
    'default-sp' => [
        'saml:SP',
        'entityID' => 'v2-2350161.unknown.co',
        'privatekey' => 'server.pem',
        'certificate' => 'server.crt',
        'idp' => 'v2-2350161.unknown.co',
    ],
);



# cat metadata/saml20-idp-remote.php
<?php
$metadata['v2-2350161.unknown.co'] = [
    'SingleSignOnService' => [
        [
          'Location' => 'https://unknown.co:9443/simplesaml/saml2/idp/SSOService.php/default-sp',
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
    ],
    'SingleLogoutService' => [
        [
          'Location' => 'https://unknown.co:9443/simplesaml/saml2/idp/SingleLogoutService.php/default-sp',
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
    ],
    'certificate' => 'server.pem',
];




# cat metadata/saml20-idp-hosted.php
<?php

$metadata['
v2-2350161.unknown.co '] = [
    'host' => '__DEFAULT__',
    'privatekey' => 'server.pem',
    'certificate' => 'server.crt',
    'auth' => 'example-userpass',
    'contacts' => [
        [
           'contactType'       => 'support',
           'emailAddress'      => 'root@localhost',
           'givenName'         => 'root',
           'surName'           => 'user',
           'company'           => 'unknown.co',
        ],
    ],
];


# cat metadata/saml20-sp-remote.php
<?php

/**
 * SAML 2.0 remote SP metadata for SimpleSAMLphp.
 */
Is empty as the examples do nothing with it.


I can get metadata, under federation, but it does not work in my app, I'm assuming the issue is not the app as it can connect to Okta for example, so I'm figuring the error above is a (or the) cause.

Thanks,
ERIC

Tim van Dijen

unread,
Jul 28, 2025, 8:10:22 AMJul 28
to SimpleSAMLphp
Hi Eric,

The metadata-entries are missing a `entityID`-key.  Putting the entityID in the array-key like you did is old pre 2.0-behaviour that no longer works.

- Tim

Op maandag 28 juli 2025 om 09:33:17 UTC+2 schreef eric.gandt....@gmail.com:

eric gandt

unread,
Jul 28, 2025, 7:48:43 PMJul 28
to SimpleSAMLphp
I changed metadata/saml20-sp-remote.php to be populated:
<?php
$metadata['v2-2350161.unknown.co'] = [
    'AssertionConsumerService' => [
        [
            'index' => 1,
            'isDefault' => true,
            'Location' => 'v2-2350161.unknown.co/module.php/saml/sp/saml2-acs.php/default-sp',
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ],
    ],
    'SingleLogoutService' => [
        [
            'Location' => 'https://v2-2350161.unknown.co/module.php/saml/sp/saml2-logout.php/default-sp',

            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
    ],
];

I had to also fix metadata/saml20-idp-remote.php, so that it was using the crt not pem file
<?php
$metadata['v2-2350161.unknown.co'] = [
    'SingleSignOnService' => [
        [
          'Location' => 'https://unknown.co:9443/simplesaml/saml2/idp/SSOService.php/default-sp',
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
    ],
    'SingleLogoutService' => [
        [
          'Location' => 'https://unknown.co:9443/simplesaml/saml2/idp/SingleLogoutService.php/default-sp',
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
    ],
    'certificate' => 'server.crt',
];


Oddly the quick start docs do not mention that is is needed at all, however it clearly is I can not log into the default-sp using the example users.  Now I just need to debug the client side issues.  Thanks for your help.


Wanted to respond in hopes that this is  of some help to other people.
ERIC

Reply all
Reply to author
Forward
0 new messages