Destination in response doesn't match the current URL - ADFS
938 views
Skip to first unread message
Marc
Feb 22, 2016, 5:59:24 PM2/22/16
to SimpleSAMLphp
Hello all,
I am trying to setup SimpleSAMLphp to work with ADFS. I have followed many of the guides on this and the config went smooth.
However, when testing the auth I keep getting the following:
===================================
Caused by: Exception: Destination in response doesn't match the current URL. Destination is "https://<DOMAIN>:443/module.php/saml/sp/saml2-acs.php/ADFS", current URL is "https://<DOMAIN>:443/simplesamlphp/module.php/saml/sp/saml2-acs.php/ADFS".
===================================
I get sent to ADFS for auth info but get this error when I come back to SimpleSAMLphp. Any thoughts? Something must be adding the "/simplesamlphp/" to the URL somehow?
Thanks all.
Marc
Francisco Almeida
Feb 22, 2016, 7:15:49 PM2/22/16
to SimpleSAMLphp
Hi,
Have you loaded SimpleSAML SP metadata into ADFS?
Regards,
Peter Schober
Feb 23, 2016, 4:38:49 AM2/23/16
to SimpleSAMLphp
* Marc <hostm...@apexoil.ca> [2016-02-22 23:59]:
1. What is the correct REUQEST_URI to your SimpleSAMLphp's www folder?
I'm guessing the latter, i.e., it is NOT the case that your whole
vhost is aliased/mapped to SimpleSAMLphp (that wouldn't be very
useful).
2. Does your config/config.php set the correct path as baseurlpath?
If in doubt set this to the fully qualified URI, with
https://fqdn/path/to/simplesamlphp
3. Next capture a SAML2.0 authentication request from your installation
(easiest with the "SAMLtracer" Mozilla Firefox extension) and check
the AssertionComsumerServiceURL, whether it's correct as per 1 and 2
4. Once that's correct make sure ADFS has the exact same settings for
your SAML SP, e.g. by giving it SAML2.0 Metadata with correct URLs
and paths everywhere.
-peter
> Caused by: Exception: Destination in response doesn't match the current
> URL. Destination is
> "https://<DOMAIN>:443/module.php/saml/sp/saml2-acs.php/ADFS", current URL
> is
> "https://<DOMAIN>:443/simplesamlphp/module.php/saml/sp/saml2-acs.php/ADFS".
Things to check:
> URL. Destination is
> "https://<DOMAIN>:443/module.php/saml/sp/saml2-acs.php/ADFS", current URL
> is
> "https://<DOMAIN>:443/simplesamlphp/module.php/saml/sp/saml2-acs.php/ADFS".
1. What is the correct REUQEST_URI to your SimpleSAMLphp's www folder?
I'm guessing the latter, i.e., it is NOT the case that your whole
vhost is aliased/mapped to SimpleSAMLphp (that wouldn't be very
useful).
2. Does your config/config.php set the correct path as baseurlpath?
If in doubt set this to the fully qualified URI, with
https://fqdn/path/to/simplesamlphp
3. Next capture a SAML2.0 authentication request from your installation
(easiest with the "SAMLtracer" Mozilla Firefox extension) and check
the AssertionComsumerServiceURL, whether it's correct as per 1 and 2
4. Once that's correct make sure ADFS has the exact same settings for
your SAML SP, e.g. by giving it SAML2.0 Metadata with correct URLs
and paths everywhere.
-peter
Marc
Feb 23, 2016, 12:33:50 PM2/23/16
to SimpleSAMLphp
Ahh ha. Looks like this is an issue with the way my hosting provider has to set things up.
As I am only able to have vhost for all my sites under SSL I have to use an .htaccess with rewrite rules and that is what looks like is messing up the URL paths.
for reference I am using Bluehost and this is what they recommend to do for subdomains:
==================================
# Custom subdomain .htaccess SSL + WordPress
RewriteEngine On
RewriteCond %{HTTP_HOST} ^subdomain.maindomain.com$
RewriteCond %{REQUEST_URI} !^/subfolder/
RewriteRule ^(.*)$ /subfolder/$1
RewriteCond %{HTTP_HOST} ^subdomain.maindomain.com$
RewriteRule ^(/)?$ subfolder/index.php [L]
# End custom subdomain .htaccess
# Custom maindomain .htaccess WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^(www.)?maindomain.com$
RewriteRule ^index\.php$ - [L]
RewriteCond %{HTTP_HOST} ^(www.)?maindomain.com$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# End custom maindomain .htaccess==================================
and since simplesamlphp is a subfolder under my main doamin....
apparently it is a limitation of WHM on the shared hosting.
grrr.
does that make sense?
Apart from there my ADFS server can see simpleSAMLphp and can get the metadata and the urls all look good in th endpoints but like i said it could very well be the .htaccess rewrite messing things up.
Thanks all.
Marc
Feb 23, 2016, 1:03:54 PM2/23/16
to SimpleSAMLphp
Poking in the diags. I found this:
| HTTP_HOST | <DOMAIN> |
| HTTPS | on |
| SERVER_PROTOCOL | HTTP/1.0 |
| SERVER_PORT | 443 |
| Utilities_getBaseURL() | https://<DOMAIN>:443/ |
| Utilities_getSelfHost() | <DOMAIN> |
| Utilities_selfURLhost() | https://<DOMAIN>:443 |
| Utilities_selfURLNoQuery() | https://<DOMAIN>:443/simplesamlphp/admin/hostnames.php |
| Utilities_getSelfHostWithPath() | <DOMAIN>/ |
| Utilities_getFirstPathElement() | /simplesamlphp |
| Utilities_selfURL() | https://<DOMAIN>:443/admin/hostnames.php |
Might this be where my issues are coming from? it is detecting the subfolder for partof the url?
Might there be a way to change this?
Thanks.
On Monday, February 22, 2016 at 3:59:24 PM UTC-7, Marc wrote:
Peter Schober
Feb 23, 2016, 1:07:23 PM2/23/16
to SimpleSAMLphp
* Marc <hostm...@apexoil.ca> [2016-02-23 18:33]:
from us here? We don't know whether you're using a "subdomain" or
"maindomain" as per that hosters docuemntation or whether and how
you've followed those "recommendations".
Anyway, given the check list I provided and the documentation from
your hoster you should be able to figure this your.
There's nothing specific to SimpleSAMLphp here, AFAICT.
The only thing SAML cares about in this regard is that the locations
match up, i.e., that what your browser sees as the URL for a protocol
endpoint matches what the authn request specifies and that both matche
what the SAML Metadata containts.
-peter
> Ahh ha. Looks like this is an issue with the way my hosting provider has
> to set things up.
>
> As I am only able to have vhost for all my sites under SSL I have to use an
> .htaccess with rewrite rules and that is what looks like is messing up the
> URL paths.
>
> for reference I am using Bluehost and this is what they recommend to do for
> subdomains:
Given the lack of technical detail you provided what do you expect
> to set things up.
>
> As I am only able to have vhost for all my sites under SSL I have to use an
> .htaccess with rewrite rules and that is what looks like is messing up the
> URL paths.
>
> for reference I am using Bluehost and this is what they recommend to do for
> subdomains:
from us here? We don't know whether you're using a "subdomain" or
"maindomain" as per that hosters docuemntation or whether and how
you've followed those "recommendations".
Anyway, given the check list I provided and the documentation from
your hoster you should be able to figure this your.
There's nothing specific to SimpleSAMLphp here, AFAICT.
The only thing SAML cares about in this regard is that the locations
match up, i.e., that what your browser sees as the URL for a protocol
endpoint matches what the authn request specifies and that both matche
what the SAML Metadata containts.
-peter
Marc
Feb 23, 2016, 2:34:20 PM2/23/16
to SimpleSAMLphp, peter....@univie.ac.at
Sorry Peter,
I do not mean to demand for support.
I was hoping to find some pointers as to what to look for and you provided that and for that I am very grateful.
My understanding of simpleSAML is very limited and I know not all hosting providers are the same and there is no expectation they you guys should know how they all work.
I am very pleased with the product and the other times I have set it up has been no issues at all just followed the great documentation and it all worked out.
With our pointers for help I was able to find that in the lib/SimpleSAML/Utils/HTTP.php file where I needed to adjust the getSelfURLNoQuery() function to add in a str_replace() around the $_SERVER['SCRIPT_NAME'] to correct the URL it was using because of the way I have to use simpleSAML with this host.
All is working now 100% and no more errors.
I really do appreciate the help.
I hope you all have a great day.
Peter Schober
Feb 23, 2016, 2:42:32 PM2/23/16
to SimpleSAMLphp
* Marc <hostm...@apexoil.ca> [2016-02-23 20:34]:
to hack that file, but maybe that doesn't account for all kinds of
rewriting weirdness. Glad you could make it work, though you're now
running a fork.
-peter
> With our pointers for help I was able to find that in the
> lib/SimpleSAML/Utils/HTTP.php file where I needed to adjust the
> getSelfURLNoQuery() function to add in a str_replace() around
> the $_SERVER['SCRIPT_NAME'] to correct the URL it was using because of the
> way I have to use simpleSAML with this host.
OK. Since SSP provided the 'baseurlpath' config parameter I never had
> lib/SimpleSAML/Utils/HTTP.php file where I needed to adjust the
> getSelfURLNoQuery() function to add in a str_replace() around
> the $_SERVER['SCRIPT_NAME'] to correct the URL it was using because of the
> way I have to use simpleSAML with this host.
to hack that file, but maybe that doesn't account for all kinds of
rewriting weirdness. Glad you could make it work, though you're now
running a fork.
-peter
Reply all
Reply to author
Forward
0 new messages