How to bypass the discovery page? ("Select your identity provider")

[Martyn Bissett]

Hi, if I clear my cookies (so as to simulate a new user coming to the site), when I am redirected to IdP to login I'm presented with a "Select your identity provider" (this is the discovery page, right?). How do I byapss this page, I don't want new users to have to select it. I've read it's something to do with discoURL in SP:config/authsources.php .. is that right? Only, mine is set to NULL:

'myproject-dev' => array(
    'saml:SP',
    'entityID' => 'myproject-dev',
    'idp' => null,
    'discoURL' => null,
),

How can I bypass this screen so first tme users, like returning users, see only the login page? Thanks

[Peter Schober]

* Martyn Bissett <marty...@gmail.com> [2015-01-23 09:08]:

> How can I bypass this screen so first tme users, like returning
> users, see only the login page?

If you don'thave to ask users which IDP they'd like to use that means
you already know the IDP and it is only one i.e., always the same for
everyone.
In that case sending them to an IDP discovery service (even the
built-in one) is nonsensical, of course.
Just set the 'idp' key in that case, as is explained by the commend
above that.
-peter

[jmanuel...@gmail.com]

Hi,

I am struggling to figure out how to skip this screen too, but without success.

I have only one IDP configured and discoURL to null.

In saml20-idp-remote.php I only have one metadata entry and only one entry in autosources.php 

The strange thing is the same configuration in a different machine is not asking to select the IDP, the only difference is that one is connected to internet but the one which asks to select the IDP is only in the intranet (not able to receive external connections). Could be that the reason why the discover process failed and then it is forced the user to select the IDP ?

El viernes, 23 de enero de 2015, 12:55:43 (UTC+1), Peter Schober escribió:

* Martyn Bissett <mart...@gmail.com> [2015-01-23 09:08]:

[Peter Schober]

* jmanuel...@gmail.com <jmanuel...@gmail.com> [2019-12-17 11:17]:

> I am struggling to figure out how to skip this screen too, but without
> success.
>
> I have only one IDP configured and discoURL to null.
>
> In saml20-idp-remote.php I only have one metadata entry and only one entry
> in autosources.php

The only thing that's relevant here is the 'idp' setting on your SAML
SP authsource:

https://github.com/simplesamlphp/simplesamlphp/blob/master/config-templates/authsources.php#L23

-peter

[J. Manuel Velasco]

Hi Peter, thanks for your reply.

So I have set this parameter with the IDP url, but the dropdown is still displayed even if it has only one value.

Other thoughts ? Nothing to view with the case this machine is not connected to internet?

Thanks for your time,

·_-

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/OoOcArCEGgs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/20191217111608.cl7r7hkynzilkkpo%40aco.net.

[Jaime Pérez Crespo]

Hola,

On 17 Dec 2019, at 12:46, J. Manuel Velasco <jmanuel...@gmail.com> wrote:
> Hi Peter, thanks for your reply.
>
> So I have set this parameter with the IDP url, but the dropdown is still displayed even if it has only one value.
> Other thoughts ? Nothing to view with the case this machine is not connected to internet?

There’s no back channel communication between SAML entities. The only network connection needed here is from your web browser to the SP / IdP.

Regarding the value you set in the “idp” configuration option of your SAML auth source, that needs to be the entityID of the IdP you want to use, exactly as it is defined in the $metadata array.

--
Jaime Pérez
Uninett / Feide

PGP: 9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
https://keybase.io/jaimeperez

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Peter Schober]

* J. Manuel Velasco <jmanuel...@gmail.com> [2019-12-17 12:47]:

> So I have set this parameter with the IDP url, but the dropdown is still
> displayed even if it has only one value.

Whatever "the IDP url" is, it's probably not the IDP's entityID, as it
should be.

-peter

[J. Manuel Velasco]

Hi (hola:), thanks for trying to help here.

It might be another reason, I have triple checked the authsources definition, the idp array element is exactly the entityID defined in the metadata.  

However the "Select your provider" screen is shown before the user can set the login.

As I said before what I don't understand (beside other thousand things) is that we have configured another SP in an other environment and "select your provider" step is not displayed. As far as I remember the IdP has configured both SP, one we use it in DEV and the other one in PROD. The DEV one is asking to select the provider.

Now I am going to use our DEV machine to deploy an internal application, then I am trying to skip the select your provider screen because real user will faced into this and it won't be nice to have to explain they have to click on "Select" button before go to the login step.

I am happy to share more information always it won't compromise the security of our installation.

Hope anyone can give me the hint.

Thanks a lot for your time,

·_-

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/OoOcArCEGgs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/20191217120832.2m64gddrwvrvggdp%40aco.net.

[Peter Schober]

* J. Manuel Velasco <jmanuel...@gmail.com> [2019-12-18 09:55]:

> It might be another reason, I have triple checked the authsources
> definition, the idp array element is exactly the entityID defined in the
> metadata.

What "idp array element"? I see no array here:
https://github.com/simplesamlphp/simplesamlphp/blob/master/config-templates/authsources.php#L23

It's probably best you posted your actual config: At least the
entityID of your IDP (from saml20-idp-remote.php or wherever you have
it) and the saml:SP authsource from the SP.

> As I said before what I don't understand (beside other thousand
> things) is that we have configured another SP in an other
> environment and "select your provider" step is not displayed.

They're different. If you can't run 'diff' to figure out exactly how
and you don't provide the actual configuration what to you expect from
other here?

-peter

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2019-12-18 10:38]:

> * J. Manuel Velasco <jmanuel...@gmail.com> [2019-12-18 09:55]:
> > It might be another reason, I have triple checked the authsources
> > definition, the idp array element is exactly the entityID defined in the
> > metadata.
>
> What "idp array element"? I see no array here:
> https://github.com/simplesamlphp/simplesamlphp/blob/master/config-templates/authsources.php#L23
>
> It's probably best you posted your actual config: At least the
> entityID of your IDP (from saml20-idp-remote.php or wherever you have
> it) and the saml:SP authsource from the SP.

Maybe it's not loading the configuration you think it does?
Can you make other changes to config/authsources.php that are picked
up just fine?
Maybe you have SIMPLESAMLPHP_CONFIG_DIR set in the DEV environment
https://simplesamlphp.org/docs/stable/simplesamlphp-install#section_3_3
but you're editing files in the config directory of the installation?

-peter

[jmanuel...@gmail.com]

Hi,

Thanks again for trying to help.

When I said array I meant the associative pair ('idp' => 'http://sts.obs.tv/adfs/services/trust') inside the SP definition, wich it is an array :) Sorry for the bad explanation.

SIMPLESAMLPHP_CONFIG_DIR is not set for my setup, at least when I echo the constant at www/index.php it says the constant is not defined.

Also, modifying the SP in config/authsources.php to try to figure out which idp value to set up I got errors, so I deduce the config path I am looking at is the correct one.

Here part of the metadata defined at saml20-idp-remote.php

$metadata['http://sts.obs.tv/adfs/services/trust'] = array (
  'entityid' => 'http://sts.obs.tv/adfs/services/trust',
  'contacts' =>
  array (
    0 =>
    array (
      'contactType' => 'support',
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' =>
  array (
    0 =>
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://sts.obs.tv/adfs/ls/',
    ),
...


);

And here the full SP definition at config/authsources.php

    'adfs-sp' => array(
        'saml:SP',
        'entityID' => null,
        'ipd' => 'http://sts.obs.tv/adfs/services/trust',
        'discoURL' => null,
        'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
        'encryption.blacklisted-algorithms' => array(),
        'privatekey' => 'devobstv.pem',
        'certificate' => 'devobstv.crt',
        'sign.logout' => TRUE,
        'redirect.sign' => TRUE,
        'assertion.encryption' => TRUE,
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
        'NameIDPolicy' => null,


    ),

Hope you can help me to figure out how to sort this out (skip the select provider page).

Thanks a lot for your time,

·_-

[jmanuel...@gmail.com]

Hi again,

This is relevant information from the log:

Dec 18 13:51:17 simplesamlphp DEBUG [ef7371ecb2] Session: 'adfs-sp' not valid because we are not authenticated.
Dec 18 13:51:17 simplesamlphp DEBUG [ef7371ecb2] Session: 'adfs-sp' not valid because we are not authenticated.
Dec 18 13:51:17 simplesamlphp DEBUG [ef7371ecb2] Saved state: '_b20868ae6641a43b28abffc27826e1284c01b8d51c:https://dev-assets.obs.tv/simplesaml/module.php/core/as_login.php?AuthId=adfs-sp&ReturnTo=https%3A%2F%2Fplatformgrid.obs.tv%2Fadmin%2F'
Dec 18 13:51:17 simplesamlphp INFO [ef7371ecb2] idpDisco.saml: Accessing discovery service.
Dec 18 13:51:17 simplesamlphp INFO [ef7371ecb2] idpDisco.saml: returnIdParam initially set to [idpentityid]
Dec 18 13:51:17 simplesamlphp INFO [ef7371ecb2] idpDisco.saml: isPassive initially set to [FALSE]
Dec 18 13:51:17 simplesamlphp INFO [ef7371ecb2] idpDisco.saml: getSelectedIdP() returned null
Dec 18 13:51:17 simplesamlphp DEBUG [ef7371ecb2] Template: Reading [C:\inetpub\wwwroot\simplesamlphp\simplesamlphp\dictionaries/disco]
Dec 18 13:51:17 simplesamlphp INFO [ef7371ecb2] Template: Looking up [idpname_http://sts.obs.tv/adfs/services/trust]: not translated at all.

What I understand is getSelectedIdP is returning null, and probably this is why the select your provider screen is displayed but I don't know (if that would be the source of the issue) why it returns null and how to make it work properly.

Any idea?

Thanks for your time.

Regards,

·_-

[jmanuel...@gmail.com]

Hi once again,

I have enabled the DEBUG mode in the system we are not having the "Select your provider" and I can't see the discovery service is started:

Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49] Session: 'adfs-sp' not valid because we are not authenticated.
Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49] Saved state: '_f5c2206e8ee73dc8e10ef60ac916022e0efd522205'
Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49] Sending SAML 2 AuthnRequest to 'http://sts.obs.tv/adfs/services/trust'
Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49] Sending message:
Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f5c2206e8ee73dc8e10ef60ac916022e0efd522205" Version="2.0" IssueInstant="2019-12-18T13:03:50Z" Destination="https://sts.obs.tv/adfs/ls/" AssertionConsumerServiceURL="https://assets.obs.tv/simplesaml/module.php/saml/sp/saml2-acs.php/adfs-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49]   <saml:Issuer>https://assets.obs.tv/simplesaml/module.php/saml/sp/metadata.php/adfs-sp</saml:Issuer>
Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49] </samlp:AuthnRequest>
Dec 18 14:03:50 simplesamlphp DEBUG [fa0b51fc49] Redirect to 951 byte URL: https://sts.obs.tv/adfs/ls/?SAMLRequest=...&Signature=...%3D%3Darray (
)

I need help.

Thanks,

·_-

[Patrick Radtke]

You wrote "'ipd' => 'http://sts.obs.tv/adfs/services/trust'"
and it should be 'idp'.

The code is not seeing your setting.

- Patrick

[jmanuel...@gmail.com]

Hi Patrick,

Wow, what a typo!!! It was in front of my eyes.

Thank you so much to let me know, now it works as expected.

Thank you, thank you, thank you

Best regards,

·_-