SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'http://domain/simplesaml/module.php/saml/sp/metadata.php/default-sp\'')

[Joshua Rivera]

when browsing on my identity server and going to 'test authentication sources' and clicking my default-sp method, i am getting the following error about my metadata

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'http://domain/simplesaml/module.php/saml/sp/metadata.php/default-sp\'')

Backtrace:
3 /ltsites/saml/identity/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:293 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 /ltsites/saml/identity/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:310 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 /ltsites/saml/identity/modules/saml/lib/IdP/SAML2.php:296 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /ltsites/saml/identity/www/saml2/idp/SSOService.php:19 (N/A)

i go to http://domain/simplesaml/module.php/saml/sp/metadata.php and i can SEE the metadata, so i'm not sure what's happening. 

i have saml20-idp-hosted.php and sam120-sp-remote.php both configured (since this is the identity) server, but nothing i've changed has fixed anything. any ideas?

[Peter Schober]

* Joshua Rivera <joshua...@gmail.com> [2014-03-26 01:20]:

> when browsing on my identity server and going to 'test authentication
> sources' and clicking my default-sp method, i am getting the following
> error about my metadata
>
>
> SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' =>
> '\'http://domain/simplesaml/module.php/saml/sp/metadata.php/default-sp\'')

Try "test authentication sources" on the SP, not on the IDP.
Does that work?
-peter

[Joshua Rivera]

after clicking 'test authentication sources' followed by 'default-sp', i get a dropdown with "not translated (idpname_http://id.saml.domain.com/simplesaml/saml2/idp/metadata.php", i select that and then i get a very similar error to the one in the original post:

Unable to locate metadata for 'http://sp.saml.domain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp'

This is most likely a configuration problem on either the service provider or identity provider.

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'http://sp.saml.domain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp\'')

if i go to that url directly it forced a download of a file that has all of the xml metadata information.

[Peter Schober]

* Joshua Rivera <joshua...@gmail.com> [2014-03-26 01:20]:

> when browsing on my identity server and going to 'test authentication
> sources' and clicking my default-sp method, i am getting the following
> error about my metadata

Jfyi, my IDP has no "default-sp" authentcation source, only the
authsource to actually authenticate subjects (sql. ldap, etc.).
So that would suggest a misconfigured IDP.
What documentation did you follow?
-peter

[Peter Schober]

* Joshua Rivera <joshua...@gmail.com> [2014-03-26 15:51]:

> Unable to locate metadata for
> 'http://sp.saml.domain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp'

The SAML SP would need access to the SAML IDP's metadata.
The above does not look like a SAML IDP, but a SAML SP.
That suggests that you confused SP and IDP (and yourself) somehow.
-peter

[Joshua Rivera]

i used the quickstart guides at

https://simplesamlphp.org/docs/stable/simplesamlphp-idp

https://simplesamlphp.org/docs/stable/simplesamlphp-sp

but i very clearly agree without about confusing them/myself.

this is my identity federation page:

this is my service federation page:

is the problem that the identity page should not list idp metadata, only sp? or is it that sp should be listing idp instead of just sp? i am confused on if this page is supposed to list information for the server you on, or the server(s) you are connecting too.

[Peter Schober]

* Joshua Rivera <joshua...@gmail.com> [2014-03-26 16:16]:

> i used the quickstart guides at
> https://simplesamlphp.org/docs/stable/simplesamlphp-idp
> https://simplesamlphp.org/docs/stable/simplesamlphp-sp

Yes, but it looks like you enabled (another) SP on the IDP.

> this is my identity federation page:
>

> <https://lh3.googleusercontent.com/-QfaEXuV3jDY/UzLt56ANxKI/AAAAAAAAilI/mVWXOEltqa0/s1600/id_fed.png>

First I'd get rid of the SP on the IDP. Remove it from local metadata
and from the authsources.

> this is my service federation page:
>

> <https://lh4.googleusercontent.com/-xsrmxnbMo4w/UzLuqFm1ytI/AAAAAAAAilQ/sAmthN9QN2k/s1600/sp_fed.png>

That looks OK other than that it doesn't have trusted metadata for the
IDP.

> is the problem that the identity page should not list idp metadata,
> only sp? or is it that sp should be listing idp instead of just sp?
> i am confused on if this page is supposed to list information for
> the server you on, or the server(s) you are connecting too.

No idea, I hardly ever use this interface. I can tell you that on my
SP I only have this on top:

SAML 2.0 SP Metadata
Entity ID: <SP-entityID>
<name-of-authsource>
[ Show metadata ]

and below "SAML 2.0 IdP Metadata (Trusted)" with all the IDPs known
via SAML metadata, which I pull in via metarefresh.

Likewise, my IDP only shows

SAML 2.0 IdP Metadata
Entity ID: <IDP-entityID>
[ Show metadata ]

before it's list of trusted SPs.
-peter

[Joshua Rivera]

ok, i have cleaned up the IDP as you stated and removed that second SP, here's what it looks like now:

identity federation:

none of my changes effected the service page however, it still looks like this:

service federation:

i see what you are saying about the lack of trusted metadata for the idp. 

i assume this is related to step 4 in this guide? https://simplesamlphp.org/docs/stable/simplesamlphp-sp, i'm kind of lost on it however since it has directions for the specific Feide IDP, but not more generically for hooking up my own idp. do you have any ideas?

i don't however understand what you mean by metarefresh, do you think you could explain that further?

[Peter Schober]

No need to keep cc'ing me personally, I follow the list (otherwise I
would not have been able to reply to your first post).

* Joshua Rivera <joshua...@gmail.com> [2014-03-26 17:17]:

> ok, i have cleaned up the IDP as you stated and removed that second SP,
> here's what it looks like now:
>
> identity federation:
>

> <https://lh6.googleusercontent.com/-NMydm68d_BA/UzL8vZtqe2I/AAAAAAAAilg/99CIyR_3Gdw/s1600/id_fed.png>

Your Identity Provider (not "identity federation") shows a SAML IDP
(under "trusted") which has a different entityID that the IDP's own,
shown at the top. Where did that come from?

> none of my changes effected the service page however, it still looks like
> this:

No changes to your SAML IDP will magically change some other
component, here your SAML Service Provider (not "service federation").
So that's expected. Any chanegs I mentioned relevant to your SP need
to be performed at the SP.

> i see what you are saying about the lack of trusted metadata for the idp.
> i assume this is related to step 4 in this
> guide? https://simplesamlphp.org/docs/stable/simplesamlphp-sp, i'm kind of
> lost on it however since it has directions for the specific Feide IDP, but
> not more generically for hooking up my own idp. do you have any ideas?

https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_2
In SimpleSAMLphp you add SAML IDPs to a SAML SP by creating PHP arrays
in metadata/saml20-idp-remote.php
Since you'd have to know or study and learn SSP's proprietary metadata
format to be able to do that, just use the web interface's metadata
converter, on your SP's that's available as
/path/to/simplesamlphp/admin/metadata-converter.php
That's an HTML form into which you paste your IDP's SAML2.0 XML
metadata. Stick the result into metadata/saml20-idp-remote.php on the
SP.

The IDP needs metadata about the SP as well, so also paste your SP's
SAML2.0 XML metadata into that form and stick the result into
metadata/saml20-sp-remote.php on the IDP.

> i don't however understand what you mean by metarefresh, do you
> think you could explain that further?

A bit complicated to get set up but the only sensible way to get and
refresh SAML metadata into SSP, really. The documentation is here:
https://simplesamlphp.org/docs/stable/simplesamlphp-automated_metadata
-peter

[Joshua Rivera]

Sorry, the CC auto-checked, I did not realize I was doing that.

First, what i meant was "Identity Provider, Federation details", I shortened it without explaining it, sorry about that. Same with Service Provider.

The first problem you mention was that I had an entry in in the Identity Provider server in saml20-idp-remote.php. I probably did this thinking I was editing the service provider and not paying attention. I have removed the entry.

So here's what I just did:

1. Go to Identity Provider page, federation tab
   
2. Clicked 'Show Metadata' under 'SAML 2.0 IdP Metadata'
   
3. Copied XML
   
4. Pasted XML in XML Parser
   
5. Copied Converted Metadata under heading 'saml20-idp-remote'
6. Went to /path/to/serviceprovider/metadata/saml20-idp-remote.php
7. Pasted Converted metadata into file, saved and exited
8. Went to Service Provider page, federation tab
   
9. Clicked 'Show Metadata' under 'SAML 2.0 SP Metadata'
   
10. Copied XML
    
11. Pasted XML in XML Parser
    
12. Copied Converted Metadata under heading 'saml20-sp-remote'
13. Went to /path/to/identityprovider/metadata/saml20-sp-remote.php
14. Pasted Converted metadata into file, saved and exited

At this point it didn't work, again, same error as usual, but then I had an idea and went to /path/to/service/config/authsources.php

I had this in the file:

'default-sp' => array(

                'saml:SP',

                'privatekey' => 'foo.pem',

                'certificate' => 'foo.crt',

                'idp' => 'http://id.saml.domain.com/simplesaml/saml2/idp/metadata.php'

                // The entity ID of this SP.

                // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.

                //'entityID' => NULL,

                // The entity ID of the IdP this should SP should contact.

                // Can be NULL/unset, in which case the user will be shown a list of available IdPs.

                //'idp' => NULL,

                // The URL to the discovery service.

                // Can be NULL/unset, in which case a builtin discovery service will be used.

                //'discoURL' => NULL,

        ),

because this section of the document https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_2 had "https://openidp.feide.no" as the entity id, i had only put in my domain.com, i changed it to 

'default-sp' => array(

                'saml:SP',

                'privatekey' => 'foo.pem',

                'certificate' => 'foo.crt',

                'idp' => 'http://id.saml.domain.com/simplesaml/saml2/idp/metadata.php'

                // The entity ID of this SP.

                // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.

                //'entityID' => NULL,

                // The entity ID of the IdP this should SP should contact.

                // Can be NULL/unset, in which case the user will be shown a list of available IdPs.

                //'idp' => NULL,

                // The URL to the discovery service.

                // Can be NULL/unset, in which case a builtin discovery service will be used.

                //'discoURL' => NULL,

        ),

with the full path to the metadata file.

now i went back to the service provider, clicked, test authentication sources, and then default-sp.

to my surprise and amazement this time instead of an error i got a login screen!

i used the student/studentpass login info from the quickstart, and i got in.

thank you for all your help, it definitely pointed me in the right direction.

however, i still don't have any IDP's listed as trusted on my Service Provider federation page, do you think this is a concern? 

[Joshua Rivera]

Sorry, in authsources I meant it had

 'idp' => 'http://id.saml.domain.com'

and i changed it to

 'idp' => 'http://id.saml.domain.com/simplesaml/saml2/idp/metadata.php'