SimpleSAMLphp (1.14.3) as IdP and Shibboleth (shibboleth 2.5.3) as SP
583 views
Skip to first unread message
Jose Daniel
May 18, 2016, 1:12:54 PM5/18/16
to SimpleSAMLphp
Hi.
I have some doubts and problems.
Do SimpleSAMLphp supports Shibboleth versions > 1.3? in the config.php of SimpleSAML says:
'enable.saml20-idp' => true,
'enable.shib13-idp' => true, //only accepts shibboleth 1.3??
'enable.adfs-idp' => false,
'enable.wsfed-sp' => false,
'enable.authmemcookie' => false,
My federation list in the IdP show that i have configured the metadata of my SP that i'm running in a Debian virtual machine.
i have this configuration y my SP:
<SSO entityID="http://192.168.122.112/simplesaml/saml2/idp/metadata.php">SAML2 SAML1</SSO>
and
<MetadataProvider type="XML" uri="http://192.168.122.112/simplesaml/saml2/idp/metadata.php" reloadInterval="180000"/>
When i try to access in mi SP virtual machine to http://localhost/Shibboleth.sso/Login its redirected to the idp page, and show the next error
Debug information
The debug information below may be of interest to the administrator / help desk:
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'https://localhost/shibboleth\'')
Backtrace: 3 /var/simplesamlphp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:305 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData) 2 /var/simplesamlphp/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:325 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig) 1 /var/simplesamlphp/modules/saml/lib/IdP/SAML2.php:303 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) 0 /var/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
can someone help me?, i don't know what i have to get working SimpleSAML IdP and Shibboleth SP. thanks.
Peter Schober
May 18, 2016, 1:50:07 PM5/18/16
to SimpleSAMLphp
* Jose Daniel <jdanielc...@gmail.com> [2016-05-18 19:13]:
proprietary Shibboleth authentication requests.
None of that matters since we have SAML2.0 since 2005 (!).
> 'enable.saml20-idp' => true,
> 'enable.shib13-idp' => true, //only accepts shibboleth 1.3??
The Shibboleth project (Internet2 back then) invented an extension for
SAML1. That's no longer necessary in SAML 2.0, therefore you just
configure SAML 2.0 to interop with Shibboleth.
Best to forget anything with shib13 within SimpleSAMLphp.
> My federation list in the IdP show that i have configured the
> metadata of my SP that i'm running in a Debian virtual machine.
The Shib SP by default also publishes SAML1.1 support and endpoints in
its metadata at /Shibboleth.sso/Metadata, but it's up to you what you
want to support.
If you don't include SAML1 support in the Shib SP metadata then
SimpleSAMLphp will also not report "Shib 1.3 SP Metadata".
But that doesn't hurt either, you just ignore the fact that this SP
also supports a historic protocol version.
Do not set enable.shib13-idp to true unless you know you need it for a
specific legacy use-case. Definitively not for contemporary Shibboleth
releases.
> i have this configuration y my SP:
>
> <SSO
> entityID="http://192.168.122.112/simplesaml/saml2/idp/metadata.php">SAML2
> SAML1</SSO>
> and
> <MetadataProvider type="XML"
> uri="http://192.168.122.112/simplesaml/saml2/idp/metadata.php"
> reloadInterval="180000"/>
There's no trust in downloading Metadata (i.e., plain text files)
directly from the IDP (and vice versa), so why bother with SAML at
all?
The screenshot shows warnings from the Shibboleth software, with
explanations each. If you don't understand those explanations you
should ask, but not on this list (which is about SimpleSAMLphp, not
Shibboleth).
> When i try to access in mi SP virtual machine to
> http://localhost/Shibboleth.sso/Login its redirected to the idp page, and
> show the next error
>
> <https://lh3.googleusercontent.com/--uqyoi82ME8/VzyfvUQdsoI/AAAAAAAAAOA/-HZeVGI66aYm8rmRDp-EIxa6jdPF_ccngCLcB/s1600/error.png>
Your own IDP tells you that it does not have Metadata for the SP.
That's what "Metadata not found. Unable to locate metadata for ..."
means. So give it metadata describing the SP, according to the
SimpleSAMLphp docuemntation.
> can someone help me?, i don't know what i have to get working
> SimpleSAML IdP and Shibboleth SP. thanks.
Read the SimpleSAMLphp IDP documentation on how to add SPs to it, and
the Shib documentation on how to add IDPs. Once that's done you'll
need to decide what data (SAML NameID and/or attributes) to send, and
how to name the stuff on the wire.
Since you obviously only want to play with the stuff (no TLS anywhere,
private class IP addresses without DNS entries, "localhost" for the
SP, etc.) there's certainly a lot of complexity head of you, and many
of the reasons to do things one way or another depend on the
deployment. Without one all that's left is too many options.
-peter
> Do SimpleSAMLphp supports Shibboleth versions > 1.3?
Sure. When SimpleSAMLphp says "Shibboleth 1.3" it means SAML1.1 plus
proprietary Shibboleth authentication requests.
None of that matters since we have SAML2.0 since 2005 (!).
> 'enable.saml20-idp' => true,
> 'enable.shib13-idp' => true, //only accepts shibboleth 1.3??
SAML1. That's no longer necessary in SAML 2.0, therefore you just
configure SAML 2.0 to interop with Shibboleth.
Best to forget anything with shib13 within SimpleSAMLphp.
> My federation list in the IdP show that i have configured the
> metadata of my SP that i'm running in a Debian virtual machine.
its metadata at /Shibboleth.sso/Metadata, but it's up to you what you
want to support.
If you don't include SAML1 support in the Shib SP metadata then
SimpleSAMLphp will also not report "Shib 1.3 SP Metadata".
But that doesn't hurt either, you just ignore the fact that this SP
also supports a historic protocol version.
Do not set enable.shib13-idp to true unless you know you need it for a
specific legacy use-case. Definitively not for contemporary Shibboleth
releases.
> i have this configuration y my SP:
>
> <SSO
> entityID="http://192.168.122.112/simplesaml/saml2/idp/metadata.php">SAML2
> SAML1</SSO>
> and
> <MetadataProvider type="XML"
> uri="http://192.168.122.112/simplesaml/saml2/idp/metadata.php"
> reloadInterval="180000"/>
directly from the IDP (and vice versa), so why bother with SAML at
all?
The screenshot shows warnings from the Shibboleth software, with
explanations each. If you don't understand those explanations you
should ask, but not on this list (which is about SimpleSAMLphp, not
Shibboleth).
> When i try to access in mi SP virtual machine to
> http://localhost/Shibboleth.sso/Login its redirected to the idp page, and
> show the next error
>
Your own IDP tells you that it does not have Metadata for the SP.
That's what "Metadata not found. Unable to locate metadata for ..."
means. So give it metadata describing the SP, according to the
SimpleSAMLphp docuemntation.
> can someone help me?, i don't know what i have to get working
> SimpleSAML IdP and Shibboleth SP. thanks.
the Shib documentation on how to add IDPs. Once that's done you'll
need to decide what data (SAML NameID and/or attributes) to send, and
how to name the stuff on the wire.
Since you obviously only want to play with the stuff (no TLS anywhere,
private class IP addresses without DNS entries, "localhost" for the
SP, etc.) there's certainly a lot of complexity head of you, and many
of the reasons to do things one way or another depend on the
deployment. Without one all that's left is too many options.
-peter
Reply all
Reply to author
Forward
0 new messages