Cannot access /admin page during installation of simplesamlphp-2.2.1 (Windows server) Service provider
256 views
Skip to first unread message
Bill Butler
May 31, 2024, 8:55:11 AM5/31/24
to SimpleSAMLphp
SimpleSAMLphp partially installed on "Windows Server 2019 version 1809, IIS version 10.0.17763.1"
Following step by step instructions on this page:
https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-php
The debug information below may be of interest to the administrator / help desk:
SimpleSAML\Error\NoState: NOSTATE
Backtrace:
6 src\SimpleSAML\Auth\State.php:295 (SimpleSAML\Auth\State::loadState)
5 modules\core\src\Controller\Login.php:104 (SimpleSAML\Module\core\Controller\Login::loginuserpass)
4 vendor\symfony\http-kernel\HttpKernel.php:181 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 vendor\symfony\http-kernel\HttpKernel.php:76 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 vendor\symfony\http-kernel\Kernel.php:197 (Symfony\Component\HttpKernel\Kernel::handle)
1 src\SimpleSAML\Module.php:234 (SimpleSAML\Module::process)
Following step by step instructions on this page:
https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-php
SimpleSAMLphp homepage is working. https://service.example.org/saml/
However, the admin page cannot be reached.
From the documentation:
"If this [the homepage] works, you can now also acceas the admin module by adding admin/ to your base URL: https://service.example.org/simplesaml/admin/"
I cannot access the /admin/ page despite the instructions telling me I can. Instead I get this:
"State information lost
However, the admin page cannot be reached.
From the documentation:
"If this [the homepage] works, you can now also acceas the admin module by adding admin/ to your base URL: https://service.example.org/simplesaml/admin/"
I cannot access the /admin/ page despite the instructions telling me I can. Instead I get this:
"State information lost
... {useless verbiage} ...
Tracking number: c1e27346e3
Debug informationThe debug information below may be of interest to the administrator / help desk:
SimpleSAML\Error\NoState: NOSTATE
Backtrace:
6 src\SimpleSAML\Auth\State.php:295 (SimpleSAML\Auth\State::loadState)
5 modules\core\src\Controller\Login.php:104 (SimpleSAML\Module\core\Controller\Login::loginuserpass)
4 vendor\symfony\http-kernel\HttpKernel.php:181 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 vendor\symfony\http-kernel\HttpKernel.php:76 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 vendor\symfony\http-kernel\Kernel.php:197 (Symfony\Component\HttpKernel\Kernel::handle)
1 src\SimpleSAML\Module.php:234 (SimpleSAML\Module::process)
0 public\module.php:17 (N/A)"
Anyone have an idea where I screwed up?
This is from the Windows IIS server logs. I redacted the SAML server and a second server IP addresses:
2024-05-28 15:44:07 {SAML.SERVER.IP.ADDRESS} GET /saml/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 302
2024-05-28 15:44:09 {SAML.SERVER.IP.ADDRESS} GET /saml/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 198
2024-05-28 15:44:11 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 64 3599
2024-05-28 15:44:11 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 2214
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/core/loginuserpass AuthState=_65d3f6cd254800fdf433a35486c81c5129aff0a6f8 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 500 0 64 16363
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/core/loginuserpass AuthState=_53b779d36ee88cd8182bf1445bb49fc2d4062111f0 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 500 0 0 5691
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 64
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 225
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/core/loginuserpass AuthState=_6637625fb3590f3e269f6480e836344803b351497a 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 500 0 0 331
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/fonts/fa-solid-900.woff2 tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 9
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/css/stylesheet.css tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 6
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/icons/ssplogo-fish-small.png tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 2
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/js/bundle.js tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 2
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/fonts/fa-solid-900.woff2 - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://service.example.org/saml/assets/base/css/stylesheet.css?tag=2c837 304 0 0 22
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/icons/favicon.ico tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 200 0 0 41
Last thing. We're a small university IT shop with 5 programmers. There are three people supporting Distributed Systems. I'm not a server guy, but I was tossed into this anyway. Distributed Systems created a Windows stand-alone server just for SAML service authentication. They have never used SimpleSAMLphp. We have an identity provider and we have third party software vendors. They give Distributed Systems the information packets and DS installs them accordingly. Because they have never managed a server with SimpleSAMLphp, they want me to figure it out.
We want to link our Identity Provider to a server running a couple of systems I wrote in Php. The idea is that our users go to our single sign-on page, select my systems among all the third-party vendor systems, then they are sent to our SAML service provider to use one of my systems. I write programs and systems. I don't work servers. I do not have direct access to the Identity Provider. The SimpleSAMLphp server is using our wildcard SSL certificate. Our old application server is on-site and never updated beyond Php 5.6. Distributed Systems is eager to shut down the application server.
Anyone have an idea where I screwed up?
This is from the Windows IIS server logs. I redacted the SAML server and a second server IP addresses:
2024-05-28 15:44:07 {SAML.SERVER.IP.ADDRESS} GET /saml/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 302
2024-05-28 15:44:09 {SAML.SERVER.IP.ADDRESS} GET /saml/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 198
2024-05-28 15:44:11 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 64 3599
2024-05-28 15:44:11 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 2214
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/core/loginuserpass AuthState=_65d3f6cd254800fdf433a35486c81c5129aff0a6f8 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 500 0 64 16363
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/core/loginuserpass AuthState=_53b779d36ee88cd8182bf1445bb49fc2d4062111f0 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 500 0 0 5691
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 64
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/admin/ - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 303 0 0 225
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/module.php/core/loginuserpass AuthState=_6637625fb3590f3e269f6480e836344803b351497a 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 - 500 0 0 331
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/fonts/fa-solid-900.woff2 tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 9
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/css/stylesheet.css tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 6
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/icons/ssplogo-fish-small.png tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 2
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/js/bundle.js tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 304 0 0 2
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/fonts/fa-solid-900.woff2 - 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://service.example.org/saml/assets/base/css/stylesheet.css?tag=2c837 304 0 0 22
2024-05-28 15:44:17 {SAML.SERVER.IP.ADDRESS} GET /saml/assets/base/icons/favicon.ico tag=2c837 443 - {SOME.OTHER.IP.ADDRESS} Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/124.0.0.0+Safari/537.36 https://credence.loyno.edu/saml/module.php/core/loginuserpass?AuthState=_6637625fb3590f3e269f6480e836344803b351497a 200 0 0 41
Last thing. We're a small university IT shop with 5 programmers. There are three people supporting Distributed Systems. I'm not a server guy, but I was tossed into this anyway. Distributed Systems created a Windows stand-alone server just for SAML service authentication. They have never used SimpleSAMLphp. We have an identity provider and we have third party software vendors. They give Distributed Systems the information packets and DS installs them accordingly. Because they have never managed a server with SimpleSAMLphp, they want me to figure it out.
We want to link our Identity Provider to a server running a couple of systems I wrote in Php. The idea is that our users go to our single sign-on page, select my systems among all the third-party vendor systems, then they are sent to our SAML service provider to use one of my systems. I write programs and systems. I don't work servers. I do not have direct access to the Identity Provider. The SimpleSAMLphp server is using our wildcard SSL certificate. Our old application server is on-site and never updated beyond Php 5.6. Distributed Systems is eager to shut down the application server.
Peter Schober
May 31, 2024, 9:45:42 AM5/31/24
to simple...@googlegroups.com
Bill Butler <bills...@gmail.com> [2024-05-31 14:55 CEST]:
SSP version? PHP version?
> "State information lost
> ... {useless verbiage} ...
[...]
> SimpleSAML\Error\NoState: NOSTATE
https://simplesamlphp.org/docs/stable/simplesamlphp-nostate.html
> Last thing. We're a small university IT shop with 5 programmers. There are
> three people supporting Distributed Systems. I'm not a server guy, but I
> was tossed into this anyway. Distributed Systems created a Windows
> stand-alone server just for SAML service authentication.
Depending on what exactly the above entails that (putting "the SAML
bits" on a separate server from where your protected ressources are
running) may be a questionable move ("suboptimal architectural
decision") as you can't protect things on one server (your ressources)
with code running on another server (your new "SAML server") -- unless
the "SAML server" acts as a proxy/gateway to the protected ressources
(and there's no way of accessing the protected ressources other than
through the proxy). S.Cantor calls this "physically impossible wrt
some other SAML implementation,
https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334319/OneOrMany
> They have never used SimpleSAMLphp. We have an identity provider and
> we have third party software vendors.
And those vendor systems are integrated with your Identity Provider
and none of this needs SimpleSAMLphp, correct?
> We want to link our Identity Provider to a server running a couple
> of systems I wrote in Php. The idea is that our users go to our
> single sign-on page, select my systems among all the third-party
> vendor systems, then they are sent to our SAML service provider to
> use one of my systems. I write programs and systems. I don't work
> servers. I do not have direct access to the Identity Provider.
Sounds simple enough: Wherever your PHP code runs that's where you'd
also install SimpleSAMLphp.
(Be sure to also study the chapter on session management:
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance.html#session-management)
After installation someone needs to perform the integration with the
Identity Provider (given the details you provided that's about as
specific as one can get here). Then you'd use the SSP PHP API to
integrate your PHP code with SSP:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api.html
You should also have a plan who owns/manages/updates SimpleSAMLphp on
that server (which may require occasional updates to your PHP code due
to API changes), after all SSP is security software.
HTH,
-peter
> SimpleSAMLphp partially installed on "Windows Server 2019 version 1809, IIS
> version 10.0.17763.1"
"Partially installed"?
> version 10.0.17763.1"
SSP version? PHP version?
> "State information lost
> ... {useless verbiage} ...
> SimpleSAML\Error\NoState: NOSTATE
https://simplesamlphp.org/docs/stable/simplesamlphp-nostate.html
> Last thing. We're a small university IT shop with 5 programmers. There are
> three people supporting Distributed Systems. I'm not a server guy, but I
> was tossed into this anyway. Distributed Systems created a Windows
> stand-alone server just for SAML service authentication.
bits" on a separate server from where your protected ressources are
running) may be a questionable move ("suboptimal architectural
decision") as you can't protect things on one server (your ressources)
with code running on another server (your new "SAML server") -- unless
the "SAML server" acts as a proxy/gateway to the protected ressources
(and there's no way of accessing the protected ressources other than
through the proxy). S.Cantor calls this "physically impossible wrt
some other SAML implementation,
https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334319/OneOrMany
> They have never used SimpleSAMLphp. We have an identity provider and
> we have third party software vendors.
and none of this needs SimpleSAMLphp, correct?
> We want to link our Identity Provider to a server running a couple
> of systems I wrote in Php. The idea is that our users go to our
> single sign-on page, select my systems among all the third-party
> vendor systems, then they are sent to our SAML service provider to
> use one of my systems. I write programs and systems. I don't work
> servers. I do not have direct access to the Identity Provider.
also install SimpleSAMLphp.
(Be sure to also study the chapter on session management:
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance.html#session-management)
After installation someone needs to perform the integration with the
Identity Provider (given the details you provided that's about as
specific as one can get here). Then you'd use the SSP PHP API to
integrate your PHP code with SSP:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api.html
You should also have a plan who owns/manages/updates SimpleSAMLphp on
that server (which may require occasional updates to your PHP code due
to API changes), after all SSP is security software.
HTH,
-peter
Reply all
Reply to author
Forward
0 new messages