Newbie config question
Juliobesq
I've been tasked with configuring simplesamlphp as a service provider.
Alas it is waaaaay outside my knowledge base.
I've been at this for a while but have to admit confusion and defeat.
And, the Identity provider is basically refusing to offer any
assistance in setting this up even though they have provided the
parameters, sigh.
Here's what I have been told I have to configure:
1. Identity Provider ID (IdPID)
Specifies a URI that uniquely identifies the Identity Provider
my_provided_idp
(Provided)
2. Service Provider ID(SPID)
The ID of the Service Provider where the Identity Provider sends the
unsolicited response.
arbitary_string_i_provide
3. SSO URL
Specifies the URI of the Single Sign-On service at an Identity
Provider.
https://webservice_of_identity_provider
(Provided)
4. Audience
This value is included in the assertion passed to the SP and may be
used for validation purposes
http://fgw.illusionfactor.com
(this has been provided by the Identity provider, but I have no idea
where they got it from as itbeaqrs no relation to anything in the
project)
5. Assertion Consumer Service
Specifies the URL of the assertion consumer .This is the URL where the
user’s browser must POST the generated assertion.
http://www.openreachwordonthestreet.com/simplesaml/hello.php
6. Protocol Binding
A SAML Binding determines how SAML requests and responses map onto
standard messaging or communication protocols.
SAML 2.0 POST
7. Relay State or Target
A unique URL for Service provider Target page.
http://www.openreachwordonthestreet.com/index.php
8. Validity Duration
Based on the values of the Validity Duration and Skew Time, the
assertion generator calculates the total time that the assertion is
valid.
60 sec
9. Skew time
Based on the values of the Validity Duration and Skew Time, the
assertion generator calculates the total time that the assertion is
valid
30 sec
I've been told I must configure From what I can gather 1, 2, and 5.
Plus install the crt and pem files provided - I have done this by
uploading them into the cert directory.
My reading up on the subject suggests I want to configure the 'saml20-
sp-hosted.php' file in metadata, but I cant find it there, or in
metadata-examples.
I've also edited 'authsources.php' to look like this:
// An authentication source which can authenticate against both SAML
2.0
// and Shibboleth 1.3 IdPs.
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based
on the metadata URL.
// JULIAN COMMENTED THIS 8 MARCH 2010
//'entityID' => NULL,
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of
available IdPs.
// JULIAN COMMENTED THIS 8 MARCH 2010
//'idp' => NULL,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will
be used.
'discoURL' => NULL,
// JULIAN ADDED THIS 8 MARCH 2010
'entityID' => 'http://www.openreachwordonthestreet.com/',
'idp' => 'https://dev-otp-ws.bt.com/affwebservices/public/
saml2sso',
'privatekey' => 'ca-cert.pem',
'certificate' => 'crjfd_sp.crt',
),
Added this to 'saml20-idp-remote.php' :
/*
* Julian added 8 March 2010
* Techrahindra
*/
$metadata['https://dev-otp-ws.bt.com/affwebservices/public/saml2sso']
= array(
'name' => array(
'en' => 'Techmahindra',
),
'description' => 'TechMahindra sign-on identity provider',
'SingleSignOnService' => 'https://dev-otp-ws.bt.com/affwebservices/
public/saml2sso',
'SingleLogoutService' => 'https://dev-otp-ws.bt.com/affwebservices/
public/saml2sso',
'privatekey' => 'ca-cert.pem',
'certificate' => 'crjfd_sp.crt',
);
When I test default-sp I get this:
Bad Request. The request has bad syntax or incorrect parameters. - No
SAML2 provider information found for SP
Utterly confused and lost!
Hopefully
Julian
PS i would really appreciate being CC'd at my email -
jul...@flatearth.co.uk - if anyone can help
Olav Morken
> Hi
>
> I've been tasked with configuring simplesamlphp as a service provider.
> Alas it is waaaaay outside my knowledge base.
Have you tried following the SP quickstart guide:
http://simplesamlphp.org/docs/1.5/simplesamlphp-sp
If you follow it, you will create an SP connected to the Feide OpenIdP,
which can be a good way to become familiar with SP configuration.
> I've been at this for a while but have to admit confusion and defeat.
> And, the Identity provider is basically refusing to offer any
> assistance in setting this up even though they have provided the
> parameters, sigh.
>
> Here's what I have been told I have to configure:
>
> 1. Identity Provider ID (IdPID)
> Specifies a URI that uniquely identifies the Identity Provider
> my_provided_idp
> (Provided)
>
> 2. Service Provider ID(SPID)
> The ID of the Service Provider where the Identity Provider sends the
> unsolicited response.
> arbitary_string_i_provide
This one is determined by the entityID option in the SP configuration.
> 3. SSO URL
> Specifies the URI of the Single Sign-On service at an Identity
> Provider.
> https://webservice_of_identity_provider
> (Provided)
>
> 4. Audience
> This value is included in the assertion passed to the SP and may be
> used for validation purposes
> http://fgw.illusionfactor.com
> (this has been provided by the Identity provider, but I have no idea
> where they got it from as itbeaqrs no relation to anything in the
> project)
simpleSAMLphp expects the Audience to contain the SP entityID /
provider ID , and will reject assertions with a different Audience.
There is currently no way to override this behaviour without changing
the source code.
> 5. Assertion Consumer Service
> Specifies the URL of the assertion consumer .This is the URL where the
> user’s browser must POST the generated assertion.
> http://www.openreachwordonthestreet.com/simplesaml/hello.php
This URL must match the the location of the AssertionConsumerService
endpoint, which isn't configurable. It should be something like
http://www.openreachwordonthestreet.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
Typically, this is something that you provide to the IdP along with the
entityID / provider ID of your SP.
> 6. Protocol Binding
> A SAML Binding determines how SAML requests and responses map onto
> standard messaging or communication protocols.
> SAML 2.0 POST
>
> 7. Relay State or Target
> A unique URL for Service provider Target page.
> http://www.openreachwordonthestreet.com/index.php
>
> 8. Validity Duration
> Based on the values of the Validity Duration and Skew Time, the
> assertion generator calculates the total time that the assertion is
> valid.
> 60 sec
>
> 9. Skew time
> Based on the values of the Validity Duration and Skew Time, the
> assertion generator calculates the total time that the assertion is
> valid
> 30 sec
>
>
>
> I've been told I must configure From what I can gather 1, 2, and 5.
> Plus install the crt and pem files provided - I have done this by
> uploading them into the cert directory.
> My reading up on the subject suggests I want to configure the 'saml20-
> sp-hosted.php' file in metadata, but I cant find it there, or in
> metadata-examples.
That is because it was deprecated for the 1.5 release of simpleSAMLphp.
If you create it, it will still work, but when configuring new SPs you
are encouraged to use authsources.php instead.
> I've also edited 'authsources.php' to look like this:
>
> // An authentication source which can authenticate against both SAML
> 2.0
> // and Shibboleth 1.3 IdPs.
> 'default-sp' => array(
> 'saml:SP',
>
> // The entity ID of this SP.
> // Can be NULL/unset, in which case an entity ID is generated based
> on the metadata URL.
> // JULIAN COMMENTED THIS 8 MARCH 2010
> //'entityID' => NULL,
>
> // The entity ID of the IdP this should SP should contact.
> // Can be NULL/unset, in which case the user will be shown a list of
> available IdPs.
> // JULIAN COMMENTED THIS 8 MARCH 2010
> //'idp' => NULL,
>
> // The URL to the discovery service.
> // Can be NULL/unset, in which case a builtin discovery service will
> be used.
> 'discoURL' => NULL,
>
> // JULIAN ADDED THIS 8 MARCH 2010
> 'entityID' => 'http://www.openreachwordonthestreet.com/',
> 'idp' => 'https://dev-otp-ws.bt.com/affwebservices/public/
> saml2sso',
Is this the correct entityID of the IdP? It should match the string you
were provided in point 1 above.
> 'privatekey' => 'ca-cert.pem',
> 'certificate' => 'crjfd_sp.crt',
>
> ),
>
>
> Added this to 'saml20-idp-remote.php' :
>
> /*
> * Julian added 8 March 2010
> * Techrahindra
> */
> $metadata['https://dev-otp-ws.bt.com/affwebservices/public/saml2sso']
This needs to match entityID of the IdP, so if you change the above,
you need to update this.
> = array(
> 'name' => array(
> 'en' => 'Techmahindra',
> ),
> 'description' => 'TechMahindra sign-on identity provider',
>
> 'SingleSignOnService' => 'https://dev-otp-ws.bt.com/affwebservices/
> public/saml2sso',
> 'SingleLogoutService' => 'https://dev-otp-ws.bt.com/affwebservices/
> public/saml2sso',
Unless you know that the IdP supports single logout, you shouldn't add
a SingleLogoutService.
> 'privatekey' => 'ca-cert.pem',
No private key for the IdP.
> 'certificate' => 'crjfd_sp.crt',
Is this the IdP certificate? The _sp makes it look like the SP
certificate.
> );
>
> When I test default-sp I get this:
> Bad Request. The request has bad syntax or incorrect parameters. - No
> SAML2 provider information found for SP
This looks like an error from the IdP. Is the SP metadata
registered on the IdP? You can find the SP metadata under the
Federation-tab on your SP (the entry marked with "default-sp" is the
one you are looking for).
--
Olav Morken
UNINETT / Feide
Juliobesq
Many thanks for the tips, trying to make sense of evrything but I am
basically a web designer/programmer and server related tasks are a
little beyond me!
> Have you tried following the SP quickstart guide:
> http://simplesamlphp.org/docs/1.5/simplesamlphp-sp
> If you follow it, you will create an SP connected to the Feide OpenIdP,
> which can be a good way to become familiar with SP configuration.
Yes, I managed that, but it's relating the parameters supplied to me
by the Identity provider that are proving difficult
Can I check I understand the parts please...
1. Identity Provider ID (IdPID) - Specifies a URI that uniquely
identifies the Identity Provider
> > my_provided_idp
Where does this go?
2. Service Provider ID(SPID) - The ID of the Service Provider where
the Identity Provider sends the unsolicited response.
> > arbitary_string_i_provide
>
> This one is determined by the entityID option in the SP configuration.
'entityID' in 'authsources.php' ?
The Identity Provider are saying I make this up and tell them what I
entered, correct?
3. SSO URL - Specifies the URI of the Single Sign-On service at an
Identity Provider.
The URL they provided, and it goes in these places...
'idp' in 'authsources.php' ?
$metadata[] in 'saml20-idp-remote.php'
'SingleSignOnService' in 'saml20-idp-remote.php'
> > 4. Audience
> > This value is included in the assertion passed to the SP and may be
> > used for validation purposes
> >http://fgw.illusionfactor.com
> > (this has been provided by the Identity provider, but I have no idea
> > where they got it from as itbeaqrs no relation to anything in the
> > project)
>
> simpleSAMLphp expects the Audience to contain the SP entityID /
> provider ID , and will reject assertions with a different Audience.
> There is currently no way to override this behaviour without changing
> the source code.
Do I need to add this anyway?
> > 5. Assertion Consumer Service
> > Specifies the URL of the assertion consumer .This is the URL where the
> > user’s browser must POST the generated assertion.
>
> This URL must match the the location of the AssertionConsumerService
> endpoint, which isn't configurable. It should be something like
>
> http://www.openreachwordonthestreet.com/simplesaml/module.php/saml/sp...
>
> Typically, this is something that you provide to the IdP along with the
> entityID / provider ID of your SP.
Since I haven't done anything other than whats listed here I should
give the Identity Provider the default URL you've kindly suggested?
'authsources.php' now looks like this
'default-sp' => array(
'saml:SP',
'discoURL' => NULL,
'entityID' => '_String_provided_by_identity_provider'_,
'idp' => 'https://_url_of identity provider_/affwebservices/
public/saml2sso',
'privatekey' => 'ca-cert.pem',
'certificate' => 'crjfd_sp.crt',
),
'saml20-idp-remote.php' now looks like this
$metadata['https://_url_of identity provider_/affwebservices/public/
saml2sso'] = array(
'name' => array(
'en' => 'Techmahindra',
),
'description' => 'TechMahindra sign-on identity provider',
'SingleSignOnService' => 'https://_url_of identity provider_/
affwebservices/public/saml2sso',
);
I'm confused betwen where (1. Identity Provider ID (IdPID)) and (2.
Service Provider ID(SPID)) goes
Sorry to be a bit thick about this!
Julian
Olav Morken
> Hi Olav
>
> Many thanks for the tips, trying to make sense of evrything but I am
> basically a web designer/programmer and server related tasks are a
> little beyond me!
>
> > Have you tried following the SP quickstart guide:
> > http://simplesamlphp.org/docs/1.5/simplesamlphp-sp
> > If you follow it, you will create an SP connected to the Feide OpenIdP,
> > which can be a good way to become familiar with SP configuration.
>
> Yes, I managed that, but it's relating the parameters supplied to me
> by the Identity provider that are proving difficult
If you haven't already, I suggest looking here for the configuration
in authsources.php:
http://simplesamlphp.org/docs/1.5/saml:sp
and here for the configuration in metadata/saml20-idp-remote.php:
http://simplesamlphp.org/docs/1.5/simplesamlphp-reference-idp-remote
Just remember that entity ID is the same as provider ID.
> Can I check I understand the parts please...
>
> 1. Identity Provider ID (IdPID) - Specifies a URI that uniquely
> identifies the Identity Provider
> > > my_provided_idp
>
> Where does this go?
The idp option in authsources.php, and the $metadata[] in
saml20-idp-remote.php.
> 2. Service Provider ID(SPID) - The ID of the Service Provider where
> the Identity Provider sends the unsolicited response.
> > > arbitary_string_i_provide
> >
> > This one is determined by the entityID option in the SP configuration.
>
> 'entityID' in 'authsources.php' ?
Yes. You don't actually need to set it - if you don't specify it,
simpleSAMLphp will generate one automatically. It will be available
in your metadata.
> The Identity Provider are saying I make this up and tell them what I
> entered, correct?
Typically, you would give the IdP your metadata (which includes your
entity ID and AssertionConsumerService endpoint), and they will
register it in their IdP.
> 3. SSO URL - Specifies the URI of the Single Sign-On service at an
> Identity Provider.
>
> The URL they provided, and it goes in these places...
>
> 'idp' in 'authsources.php' ?
> $metadata[] in 'saml20-idp-remote.php'
No, these two must be set to the IdP entity ID / provider ID.
> 'SingleSignOnService' in 'saml20-idp-remote.php'
Yes, this is the place to add this one.
> > > 4. Audience
> > > This value is included in the assertion passed to the SP and may be
> > > used for validation purposes
> > >http://fgw.illusionfactor.com
> > > (this has been provided by the Identity provider, but I have no idea
> > > where they got it from as itbeaqrs no relation to anything in the
> > > project)
> >
> > simpleSAMLphp expects the Audience to contain the SP entityID /
> > provider ID , and will reject assertions with a different Audience.
> > There is currently no way to override this behaviour without changing
> > the source code.
>
> Do I need to add this anyway?
There is no place to add it. If the IdP doesn't send the your provider
ID / entity ID here, simpleSAMLphp will reject the assertion as
invalid. (This is for security reasons - you should not be able to take
an assertion destined for one SP and use it in a different SP.)
> > > 5. Assertion Consumer Service
> > > Specifies the URL of the assertion consumer .This is the URL where the
> > > user’s browser must POST the generated assertion.
> >
> > This URL must match the the location of the AssertionConsumerService
> > endpoint, which isn't configurable. It should be something like
> >
> > http://www.openreachwordonthestreet.com/simplesaml/module.php/saml/sp...
> >
> > Typically, this is something that you provide to the IdP along with the
> > entityID / provider ID of your SP.
>
> Since I haven't done anything other than whats listed here I should
> give the Identity Provider the default URL you've kindly suggested?
That URL should work, but you should doublecheck against your metadata.
I believe I described how you would access it in in my previous mail.
> 'authsources.php' now looks like this
>
> 'default-sp' => array(
> 'saml:SP',
>
> 'discoURL' => NULL,
>
> 'entityID' => '_String_provided_by_identity_provider'_,
> 'idp' => 'https://_url_of identity provider_/affwebservices/
> public/saml2sso',
> 'privatekey' => 'ca-cert.pem',
> 'certificate' => 'crjfd_sp.crt',
>
> ),
>
>
> 'saml20-idp-remote.php' now looks like this
>
> $metadata['https://_url_of identity provider_/affwebservices/public/
> saml2sso'] = array(
> 'name' => array(
> 'en' => 'Techmahindra',
> ),
> 'description' => 'TechMahindra sign-on identity provider',
>
> 'SingleSignOnService' => 'https://_url_of identity provider_/
> affwebservices/public/saml2sso',
You seem to have removed the certificate option. You should have
received a certificate from the IdP, and you must add that option here.
Without a certificate belonging to the IdP, simpleSAMLphp has no way to
verify that the response (with the assertion) it received from the IdP
is in fact issued by the IdP.