Help with why SSP isn't working on nginx?

[surfr...@surfrock66.com]

I have a SSP environment that has worked well for years; I just patched all our sites to 1.19.4.  My IdP is an IIS server and my SP's are IIS or usually apache2 when on Linux.  All work well.

I am developing a webapp which requires a proxied turnserver, and between coturn and haproxy I am not finding a working config for apache2, but there are several documented nginx configurations, so we are testing it out; none of us have much nginx experience.  This is an Ubuntu 20.04.3 LTS server with php7.4, apache2 2.4.41, nginx 1.18.0.

Things work, except for SSP when the web server is nginx; it works fine in apache.  When I go to the site, I get the saml login.  Once I login, I get redirected to the following URL:

https://appdev.orgname.org/simplesaml/www/module.php/saml/sp/saml2-acs.php/orgprefix-sp-appname

Which returns a white page saying "File not found."  If I remove the SSP autoload and require auth, the app functions as expected, so php processing is working. 

The php error logs show nothing at all, no entries from the day.  The nginx error logs show nothing.  

My web root is /var/www and my sp is /var/www/simplesaml.  My default server, running on 443, looks like this:

server {
        listen 443 ssl;
        ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
        server_name appdev.orgname.org;
        access_log /var/log/nginx/access.log;
        error_log  /var/log/nginx/error.log info;
        keepalive_timeout 75 75;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate /etc/ssl/certs/cert.crt;
        ssl_certificate_key /etc/ssl/private/key.key;
        ssl_session_timeout  5m;
        add_header Strict-Transport-Security "max-age=7200";
        root /var/www;
      # Add index.php to the list if you are using PHP
        index index.html index.htm index.php index.nginx-debian.html;
        location ^~ /simplesaml {
            alias /var/www/simplesaml/www;
            location ~^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
                include          fastcgi_params;
                fastcgi_pass unix:/run/php/php-fpm.sock;
                fastcgi_param SCRIPT_FILENAME /simplesaml$phpfile;
                #fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
                # Must be prepended with the baseurlpath
                fastcgi_param SCRIPT_NAME /simplesaml$phpfile;
                fastcgi_param PATH_INFO $pathinfo if_not_empty;
            }
        }
        location / {
                try_files $uri $uri/ =404;
        }
        location ~ [^/]\.php(/|$) {
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                if (!-f $document_root$fastcgi_script_name) {
                        return 404;
                }
               fastcgi_param HTTP_PROXY "";
                fastcgi_pass unix:/run/php/php-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
        location ~ /\.ht {
                deny all;
        }
}

We've been throwing config tweaks at this for days, but we're stuck.  Any help would be appreciated!

[pra...@gmail.com]

The ACS url, https://appdev.orgname.org/simplesaml/www/module.php/saml/sp/saml2-acs.php/orgprefix-sp-appname,  shouldn't have a 'www/' in it.

What is the value for baseurlpath in your config.php?

I'm not familiar with nginx config, but I would suggest installing SSP outside of web root to prevent a server misconfiguration from exposing your SAML keys,

or any other secrets.

- Patrick