simplesaml as SP and IDP w/LDAP - cant find metadata
568 views
Skip to first unread message
Nully Nullerson
Jan 23, 2014, 5:57:14 PM1/23/14
to simple...@googlegroups.com
Hey all, I am deploying SAML in a lab for reproduction use so I just need a very basic config. I already have LDAP auth available in the lap, so I'll want to use that as the actual authenticator.
1. Added entry to authsources and verified LDAP auth workign via "test authentication sources"
2. Enabled the IDP confg.php
3. Placed the following in /etc/simplesamlphp/metadata/saml20-idp-hosted.php:
<?php
/**
* SAML 2.0 IdP configuration for simpleSAMLphp.
*
* See: https://rnd.feide.no/content/idp-hosted-metadata-reference
*/
$metadata['__DYNAMIC:1__'] = array(
'saml20.sign.response' => FALSE,
'saml20.sign.assertion' => FALSE,
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to the cert directory. */
'privatekey' => 'saml_idp.key',
'certificate' => 'saml_idp.cer',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-ldap',
/* Uncomment the following to use the uri NameFormat on attributes. */
/*
'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
*/
);
4. Fetched metadata from admin interface and placed it in saml20-idp-remote.php:
$metadata['http://lab.host/simplesamlphp/saml2/idp/metadata.php'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'http://lab.host/simplesamlphp/saml2/idp/metadata.php',
'AssertionConsumerService' => 'https://3rdparty.host/samlauth',
'SingleSignOnService' => 'http://lab.host/simplesamlphp/saml2/idp/SSOService.php',
'SingleLogoutService' => 'http://lab.host/simplesamlphp/saml2/idp/SingleLogoutService.php',
'certData' => 'REDACTED',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
5. Ultimately a 3rd party device is the consumer of SAML auth, so I point it to http://lab.host/simplesamlphp/saml2/idp/SSOService.php. When I then try to auth with the 3rd party device and it redirects me to SSOService.php, im getting a 'metadata not found' error for my "lab.host" name.
Is this SP or IDP metadata being searched for in this case? I can manipulate parameters on the 3rd party device to request whatever metadata name I want, and despite editing the saml20-idp-remote.php file to match whats being sent, and various other permutations each time i still get metadata not found.
I have a feeling the issue may be with the SP being ldap since in the federation tab nothing appears in "SAML 2.0 SP (trusted)" but really im not sure.
Any help is greatly appreciated.
1. Added entry to authsources and verified LDAP auth workign via "test authentication sources"
2. Enabled the IDP confg.php
3. Placed the following in /etc/simplesamlphp/metadata/saml20-idp-hosted.php:
<?php
/**
* SAML 2.0 IdP configuration for simpleSAMLphp.
*
* See: https://rnd.feide.no/content/idp-hosted-metadata-reference
*/
$metadata['__DYNAMIC:1__'] = array(
'saml20.sign.response' => FALSE,
'saml20.sign.assertion' => FALSE,
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to the cert directory. */
'privatekey' => 'saml_idp.key',
'certificate' => 'saml_idp.cer',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-ldap',
/* Uncomment the following to use the uri NameFormat on attributes. */
/*
'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
*/
);
4. Fetched metadata from admin interface and placed it in saml20-idp-remote.php:
$metadata['http://lab.host/simplesamlphp/saml2/idp/metadata.php'] = array (
'metadata-set' => 'saml20-idp-remote',
'entityid' => 'http://lab.host/simplesamlphp/saml2/idp/metadata.php',
'AssertionConsumerService' => 'https://3rdparty.host/samlauth',
'SingleSignOnService' => 'http://lab.host/simplesamlphp/saml2/idp/SSOService.php',
'SingleLogoutService' => 'http://lab.host/simplesamlphp/saml2/idp/SingleLogoutService.php',
'certData' => 'REDACTED',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
5. Ultimately a 3rd party device is the consumer of SAML auth, so I point it to http://lab.host/simplesamlphp/saml2/idp/SSOService.php. When I then try to auth with the 3rd party device and it redirects me to SSOService.php, im getting a 'metadata not found' error for my "lab.host" name.
Is this SP or IDP metadata being searched for in this case? I can manipulate parameters on the 3rd party device to request whatever metadata name I want, and despite editing the saml20-idp-remote.php file to match whats being sent, and various other permutations each time i still get metadata not found.
I have a feeling the issue may be with the SP being ldap since in the federation tab nothing appears in "SAML 2.0 SP (trusted)" but really im not sure.
Any help is greatly appreciated.
Peter Schober
Jan 24, 2014, 5:43:25 AM1/24/14
to simple...@googlegroups.com
* Nully Nullerson <angrysc...@gmail.com> [2014-01-24 07:26]:
from a long list of configuration steps you did.
You do have a SAML IDP which uses LDAP for local authentication, OK.
But the SP and 3rd party thing is unclear to me.
> 4. Fetched metadata from admin interface and placed it in
> saml20-idp-remote.php:
>
> $metadata['http://lab.host/simplesamlphp/saml2/idp/metadata.php'] = array (
> 'metadata-set' => 'saml20-idp-remote',
> 'entityid' => 'http://lab.host/simplesamlphp/saml2/idp/metadata.php',
> 'AssertionConsumerService' => 'https://3rdparty.host/samlauth',
> 'SingleSignOnService' =>
> 'http://lab.host/simplesamlphp/saml2/idp/SSOService.php',
> 'SingleLogoutService' =>
> 'http://lab.host/simplesamlphp/saml2/idp/SingleLogoutService.php',
> 'certData' => 'REDACTED',
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> );
That is very weird. For one, a SAML IdP does not consume assertions,
as such it doesn't make any sense (and won't do what you want it to)
to add an AssertionConsumerService to the IdP's metadata. (In SAML
metadata this would be schema-invalid.)
Also what is the relation with https://3rdparty.host/samlauth and in
what SAML role (SP, IdP) do you expect it to act?
> I have a feeling the issue may be with the SP being ldap since in
> the federation tab nothing appears in "SAML 2.0 SP (trusted)" but
> really im not sure.
I don't know SSP well enough to say whether "the SP being LDAP" means
anything. From a basic understanding I'd say the fact that the IDP you
configured uses LDAP for authentication does not concern a SAML SP (be
it remote or co-located with the IDP).
-peter
> Hey all, I am deploying SAML in a lab for reproduction use so I just
> need a very basic config. I already have LDAP auth available in the
> lap, so I'll want to use that as the actual authenticator.
So exactly what is the aim of this excercise? That's not fully clear
> need a very basic config. I already have LDAP auth available in the
> lap, so I'll want to use that as the actual authenticator.
from a long list of configuration steps you did.
You do have a SAML IDP which uses LDAP for local authentication, OK.
But the SP and 3rd party thing is unclear to me.
> 4. Fetched metadata from admin interface and placed it in
> saml20-idp-remote.php:
>
> $metadata['http://lab.host/simplesamlphp/saml2/idp/metadata.php'] = array (
> 'metadata-set' => 'saml20-idp-remote',
> 'entityid' => 'http://lab.host/simplesamlphp/saml2/idp/metadata.php',
> 'AssertionConsumerService' => 'https://3rdparty.host/samlauth',
> 'SingleSignOnService' =>
> 'http://lab.host/simplesamlphp/saml2/idp/SSOService.php',
> 'SingleLogoutService' =>
> 'http://lab.host/simplesamlphp/saml2/idp/SingleLogoutService.php',
> 'certData' => 'REDACTED',
> 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
> );
as such it doesn't make any sense (and won't do what you want it to)
to add an AssertionConsumerService to the IdP's metadata. (In SAML
metadata this would be schema-invalid.)
Also what is the relation with https://3rdparty.host/samlauth and in
what SAML role (SP, IdP) do you expect it to act?
> I have a feeling the issue may be with the SP being ldap since in
> the federation tab nothing appears in "SAML 2.0 SP (trusted)" but
> really im not sure.
anything. From a basic understanding I'd say the fact that the IDP you
configured uses LDAP for authentication does not concern a SAML SP (be
it remote or co-located with the IDP).
-peter
Nully Nullerson
Jan 24, 2014, 10:56:29 AM1/24/14
to simple...@googlegroups.com, peter....@univie.ac.at
Hi Peter,
Yes it seems there are some pieces im misunderstanding here :\. I'm not quite sure at this point whether I need ssphp in a SP capacity or not. In this case the 3rd party device is a network appliance which supports SAML auth. I think in this scenario the 3rd party device is the SP and just needs an IDP....?
When you post to http://lab.host/simplesamlphp/saml2/idp/SSOService.php and ssphp does the metadata lookup, what table are we looking at? I think if I can understand that (because its this lookup thats failing) I can figure the rest out.
I removed the metadata entry from saml20-idp-remote.php as the more I thought about it, the less sense it made. My configs now look like:
saml20-idp-host.php:
Yes it seems there are some pieces im misunderstanding here :\. I'm not quite sure at this point whether I need ssphp in a SP capacity or not. In this case the 3rd party device is a network appliance which supports SAML auth. I think in this scenario the 3rd party device is the SP and just needs an IDP....?
When you post to http://lab.host/simplesamlphp/saml2/idp/SSOService.php and ssphp does the metadata lookup, what table are we looking at? I think if I can understand that (because its this lookup thats failing) I can figure the rest out.
I removed the metadata entry from saml20-idp-remote.php as the more I thought about it, the less sense it made. My configs now look like:
saml20-idp-host.php:
$metadata['__DYNAMIC:1__'] = array(
'saml20.sign.response' => FALSE,
'saml20.sign.assertion' => FALSE,
'host' => '__DEFAULT__',
'privatekey' => 'saml_idp.key',
'certificate' => 'saml_idp.cer',
'auth' => 'example-ldap',
);
saml20-idp-remote.php:
$metadata['lab.host'] = array(
'AssertionConsumerService' => 'https://10.0.0.2/auth/samlauth',
);
You can see here https://10.0.0.2/auth/samlauth refers back to the 3rd party device to get the SAML response, so is this an SP role?
When 3rd party device redirects to http://lab.host/simplesamlphp/saml2/idp/SSOService.php, the metadata not found error is for "lab.host" which is puzzling to me since this is exactly the metadata which I defined.
I apologize for my ignorance, this is a bit of a crash course on SAML auth and im doing alot of reading trying to get this figured out. I hope the above maybe clears it up a bit.
);
saml20-idp-remote.php:
$metadata['lab.host'] = array(
'AssertionConsumerService' => 'https://10.0.0.2/auth/samlauth',
);
You can see here https://10.0.0.2/auth/samlauth refers back to the 3rd party device to get the SAML response, so is this an SP role?
When 3rd party device redirects to http://lab.host/simplesamlphp/saml2/idp/SSOService.php, the metadata not found error is for "lab.host" which is puzzling to me since this is exactly the metadata which I defined.
I apologize for my ignorance, this is a bit of a crash course on SAML auth and im doing alot of reading trying to get this figured out. I hope the above maybe clears it up a bit.
Peter Schober
Jan 24, 2014, 11:17:13 AM1/24/14
to simple...@googlegroups.com
* Nully Nullerson <angrysc...@gmail.com> [2014-01-24 16:56]:
appliances do support SAML but will only act in an IDP role. Either
way, you'd have to consult the vendor's documentation or support for
that device.
> When you post to
> http://lab.host/simplesamlphp/saml2/idp/SSOService.php and ssphp
> does the metadata lookup, what table are we looking at? I think if I
> can understand that (because its this lookup thats failing) I can
> figure the rest out.
An IdP will look for SPs in metadata/saml20-sp-remote.php
> I removed the metadata entry from saml20-idp-remote.php as the more I
> thought about it, the less sense it made. My configs now look like:
>
> saml20-idp-host.php:
>
> $metadata['__DYNAMIC:1__'] = array(
>
> 'saml20.sign.response' => FALSE,
> 'saml20.sign.assertion' => FALSE,
> 'host' => '__DEFAULT__',
> 'privatekey' => 'saml_idp.key',
> 'certificate' => 'saml_idp.cer',
> 'auth' => 'example-ldap',
> );
OK
> saml20-idp-remote.php:
>
> $metadata['lab.host'] = array(
> 'AssertionConsumerService' => 'https://10.0.0.2/auth/samlauth',
> );
No. A SAML IdP will only ever interact with a SAML SP. So the SP would
need to go into metadata/saml20-sp-remote.php
saml20-idp-remote.php would only make sense for a SAML SP.
> You can see here https://10.0.0.2/auth/samlauth refers back to the
> 3rd party device to get the SAML response, so is this an SP role?
Not sure what "You can see here" means as that's a private class
network (cf RFC 1918) and not accessible from the Internet.
What is the code that runs at this URL? What means "refers back"
specifically? Also for SSO a SAML "response" will becomming from the
SAML IDP (sent to the SAML SP, possibly in reply to a SAML request),
so what mans "to the 3rd party device to get the SAML response"?
Makes no sense to me.
> When 3rd party device redirects to
> http://lab.host/simplesamlphp/saml2/idp/SSOService.php, the metadata not
> found error is for "lab.host" which is puzzling to me since this is exactly
> the metadata which I defined.
See above. You put the metadata for the entity "lab.host" in the wrong
place. Also note that "lab.host" is not strictly a valid entityID (it
must be a URI) and also since lab.host is the host name for your SAML
IDP I would chose something that clearly identifies the SP as one.
-peter
> Yes it seems there are some pieces im misunderstanding here :\. I'm
> not quite sure at this point whether I need ssphp in a SP capacity
> or not. In this case the 3rd party device is a network appliance
> which supports SAML auth. I think in this scenario the 3rd party
> device is the SP and just needs an IDP....?
Possible and certainly makes more sense to me. Note that some of those
> not quite sure at this point whether I need ssphp in a SP capacity
> or not. In this case the 3rd party device is a network appliance
> which supports SAML auth. I think in this scenario the 3rd party
> device is the SP and just needs an IDP....?
appliances do support SAML but will only act in an IDP role. Either
way, you'd have to consult the vendor's documentation or support for
that device.
> When you post to
> http://lab.host/simplesamlphp/saml2/idp/SSOService.php and ssphp
> does the metadata lookup, what table are we looking at? I think if I
> can understand that (because its this lookup thats failing) I can
> figure the rest out.
> I removed the metadata entry from saml20-idp-remote.php as the more I
> thought about it, the less sense it made. My configs now look like:
>
> saml20-idp-host.php:
>
> $metadata['__DYNAMIC:1__'] = array(
>
> 'saml20.sign.response' => FALSE,
> 'saml20.sign.assertion' => FALSE,
> 'host' => '__DEFAULT__',
> 'privatekey' => 'saml_idp.key',
> 'certificate' => 'saml_idp.cer',
> 'auth' => 'example-ldap',
> );
> saml20-idp-remote.php:
>
> $metadata['lab.host'] = array(
> 'AssertionConsumerService' => 'https://10.0.0.2/auth/samlauth',
> );
need to go into metadata/saml20-sp-remote.php
saml20-idp-remote.php would only make sense for a SAML SP.
> You can see here https://10.0.0.2/auth/samlauth refers back to the
> 3rd party device to get the SAML response, so is this an SP role?
network (cf RFC 1918) and not accessible from the Internet.
What is the code that runs at this URL? What means "refers back"
specifically? Also for SSO a SAML "response" will becomming from the
SAML IDP (sent to the SAML SP, possibly in reply to a SAML request),
so what mans "to the 3rd party device to get the SAML response"?
Makes no sense to me.
> When 3rd party device redirects to
> http://lab.host/simplesamlphp/saml2/idp/SSOService.php, the metadata not
> found error is for "lab.host" which is puzzling to me since this is exactly
> the metadata which I defined.
place. Also note that "lab.host" is not strictly a valid entityID (it
must be a URI) and also since lab.host is the host name for your SAML
IDP I would chose something that clearly identifies the SP as one.
-peter
Nully Nullerson
Jan 24, 2014, 4:52:44 PM1/24/14
to simple...@googlegroups.com, peter....@univie.ac.at
I should have been using saml20-sp-remote.php, not saml20-idp-remote.php :). I moved the metadata to the file and now it working.
Peter Schober
Jan 26, 2014, 7:25:02 AM1/26/14
to simple...@googlegroups.com
* Nully Nullerson <angrysc...@gmail.com> [2014-01-24 22:52]:
-peter
> I should have been using saml20-sp-remote.php, not saml20-idp-remote.php
> :). I moved the metadata to the file and now it working.
Which is why I said
> :). I moved the metadata to the file and now it working.
"So the SP would need to go into metadata/saml20-sp-remote.php"
in case you didn't read my explanations.
-peter
Reply all
Reply to author
Forward
0 new messages