Question about simpleSAMLphp SP and IdP Integration.

[Eric H]

Hello,

I am a new learner for SAML and PHP and I want to get some help from you on my way to learn these exciting techniques. 

My experience told me that the best way to learn is to practice and build stuffs. So... I am running two simplesamplephp instances (one for SP and one for IdP) and playing around with SSO. My IdP uses openLDAP for authorization.

I started from the following php code by putting them in an example.php file, put the example.php file in apache httpd and visit it from browser:

$as = new SimpleSAML_Auth_Simple('example-sp'); $as->requireAuth(); $attr = $as->getAttributes(); print ………..

It appears that the authentication request was able to be sent from sp to Idp and here is the sp log:

Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Session: 'example-sp' not valid because we are not authenticated. Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Saved state: '_04c9e1a8c58932ab2d79c179a90d4e9c88e9c693f3' Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending SAML 2 AuthnRequest to 'https://idp.example.com/simplesaml/saml2/idp/metadata.php' Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Sending message: Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] example-sp-host Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76]

Then in the Idp log I see the following (appears that IdP was able to receive the request): Jul 06 19:56:06 simplesamlphp INFO [37f32bab7b] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] Received message: Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] example-sp-host Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b] Jul 06 19:56:06 simplesamlphp DEBUG [37f32bab7b]

Then in the sp log I see the following: Jul 06 19:56:06 simplesamlphp DEBUG [a08a5cff76] Redirect to 636 byte URL: https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php

But in my browser I got the following error:

The website encountered an error while retrieving https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLfb4IwEP5XSN8RRKfQAInTLDNxk4jbw16WWs7RBFrWK%2Fvx36%2BAi%2B5hJs1dcnff912%2FNkZWVw1dtKaUO3hvAY3zVVcSad9ISKslVQwFUslqQGo4zRcPGxqMfNpoZRRXFbmAXEcwRNBGKEmc9Sohr%2F6URzBmIb8Jo0nADkExj%2Fh4HrHIL6YQ8TC0YRZNjhPiPINGi0yIJbJwxBbWEg2Txpb88cT15%2FbsfZ%2BOZzQIX4izsrcRkpkeVRrTIPU8UTQjKHWp0Iy4qj0UdVNBt7rXhaAb8PJ8m4P%2BEBxGTdkQZ%2FG791JJbGvQp%2B7TbnNmxn%2BJa1W0VU%2FlDUJDDlzGsa%2BecC5arezk6q2QhZBv1w09DENI7%2Ff7zM22%2BZ6kccdNe4N0emZ2uxx7l814eP1HS7teZaoS%2FNu5U7pm5rpqVxGFe%2BxHqdFMogBprE9VpT6XGpiBhBjdAvHSQfLvH0t%2FAA%3D%3D&RelayState=https%3A%2F%2Fsp.example.com%2Fexample.php. It may be down for maintenance or configured incorrectly.

Note 1 - I am not sure why in the sp log it said "Session: 'example-sp' not valid because we are not authenticated". Maybe at that point the security context hasn't been established yet and that 's exactly why we need to execute $as->requireAuth() for?

Note 2 - What does the error in browser indicate? Does it mean I have to set up some additional html file or form to enter user name / password for LDAP validation? Any clues on how to set things up?

Note 3 - I had followed most of the setup steps for the simpleSAMLphp quick starts for both SP and IdP, except I haven't changed the 'certFingerprint' value. Not sure if that's why it gave me this issue or not. I have my SP and IdP deployed on same amazon EC2 server but use different hostnames. I set up three different host names and had goDaddy.com signed me three copies of certificates for SSL.

thanks!

[Thijs Kinkhorst]

Op zondag 7 juli 2013 14:35:45 schreef Eric H:

> The website encountered an error while retrieving
> https://idp.example.com/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fV

> It may be down for maintenance or configured incorrectly.

> Note 2 - What does
> the error in browser indicate? Does it mean I have to set up some
> additional html file or form to enter user name / password for LDAP
> validation? Any clues on how to set things up?

The error you cite is too vague. Probably Chrome will display the actual HTTP
error code which will give you a hint as to what is wrong: 404, 403, 500, ...
Also, you will find clues in your Apache error log that may enable you to
relate said error to a concrete indication of what is wrong.


Cheers,
Thijs

--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix

Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl

[Eric H]

Thanks Thijs.

will check your suggestions out.