Connection with AzureAD

[Oliver G]

Hello,

I have a strange issue login to AzureAD.

I think the SimpleSamlPhp and the Azure application are correctly configured.

Every thing work fine when I follow these steps:

1 - open firefox

2 - logout from microsoft by going to https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

3 - close firefox

4 - open firefox

5 - Go to my SP (an index.php with minimal code like the step 6 of https://simplesamlphp.org/docs/stable/simplesamlphp-sp):

index.php:

<?php

session_start();

require_once 'lib/_autoload.php';

$as = new \SimpleSAML\Auth\Simple('default-sp');

$as->requireAuth([

    'ReturnTo' => 'https://my-web-site.com/',

]);

$attrs = $as->getAttributes();

print_r($attrs);

6 - the page redirect to microsoft login and then back to my web site and display attributes correctly.

The problem is if I skip step 2 & 3 (the logout process), then the attributes are never displayed, I fall in a infinite loop where my page send me to microsoft login that send me back to my page.

I tried several solutions that I could read here and there like:

- login function instead of requireAuth : the infinite loop

- add 'isPassive' parameter to true to login function : error from microsoft login page => AADSTS50058: A silent sign-in request was sent but no user is signed in. (I'm logged to AzureAD in another tab yet)

- I tried the solution on this page https://groups.google.com/g/simplesamlphp/c/k8KSZN916KM/m/3-buwpft0_0J but no better result. The error page was never reach. "if (!$as->isAuthenticated() && !isset($_SESSION['passiveAttempted']))" is always true, so loop again.

- add 'ForceAuthn' parameter to true in authsources.php. With this, microsoft ask me login and password each time but even like this when it return to my website, isAuthenticated is still false and getAttributes return an empty array.

On other browser than firefox like Edge, even with the step 2 & 3 the problem occurs.

I surely try other thing that I don't remember. I've been stuck on this problem for several days now and a little help would be extremely appreciated.

Thanks in advance,

[Peter Schober]

* Oliver G <o3.wes...@gmail.com> [2021-02-04 12:07]:

> 5 - Go to my SP (an index.php with minimal code like the step 6
> of https://simplesamlphp.org/docs/stable/simplesamlphp-sp):
> index.php:
>
> <?php
> session_start();

I note that the example code from the documentation does NOT start
with session_start().

-peter

[Oliver G]

Ho yes, you are right, I hadn't noticed that. It has remained from my site before I modify it to the minimum for test purpose with SimpleSAMLPhp.

So I made a couple of test after removing the session_start();

Tried requireAuth and login function with parameters ForceAuthn to true/false, IsPassive to true/false. IsPassive to true keep result in this error: "AADSTS50058: A silent sign-in request was sent but no user is signed in."

Even read somewhere that the problem can be from data storage of SimpleSAMLphp. So I tried to change the 'store.type' in config.php between 'phpsession' and 'sql'. With sql the tables were correctly created in my db and value inserted in it so i think I configured it correctly.

Well... no luck about that, the same problem persist :(

I checked the SESSION with a print_r($_SESSION); but it's empty as well like getAttributes()

[Peter Schober]

* Oliver G <o3.wes...@gmail.com> [2021-02-04 14:55]:

> Ho yes, you are right, I hadn't noticed that. It has remained from my site
> before I modify it to the minimum for test purpose with SimpleSAMLPhp.
> So I made a couple of test after removing the session_start();
> Tried requireAuth and login function with parameters ForceAuthn to
> true/false, IsPassive to true/false. IsPassive to true keep result in this
> error: "AADSTS50058: A silent sign-in request was sent but no user is
> signed in."
> Even read somewhere that the problem can be from data storage of
> SimpleSAMLphp. So I tried to change the 'store.type' in config.php between
> 'phpsession' and 'sql'. With sql the tables were correctly created in my db
> and value inserted in it so i think I configured it correctly.
> Well... no luck about that, the same problem persist :(
> I checked the SESSION with a print_r($_SESSION); but it's empty as well
> like getAttributes()

Sorry, what is "the problem" we're talking about now? You're removed
the session_start() line, left the default session storage type, made
sure no other local code interferes with SSP's use of PHP sessions and
still $as->getAttributes() is empty after initiating a session with
the IDP?

What happens when you test SSO from SSP's built in web UI, not your
own code?

Setting isPassive requires SAML error handling (AFAIR) so leave that
for later, until everything else works.

-peter

[Oliver G]

Yes, I removed session_start(), set 'store.type' to 'phpsession' and no ohter code can interfere.

The problem is my IdP send me back to my SP without asking for my credentials if ForceAuthn is not set and 
isAuthenticated false and getAttributes empty. If ForceAuthn is set, my IdP ask me to login but when it send

me back to my SP isAuthenticated still false and getAttributes empty.

When I try with SSP's built in web page. I see this behaviour:

- On Firefox : seems to work every time already IdP logged in or not

- On Edge & Chrome I got : ERR_TOO_MANY_REDIRECTS

What I do :

SSP frontpage -> Authentication tab -> Test configured authentication sources -> admin

-> I login with the pass set in 'auth.adminpassword' from config.php -> return to : Test configured authentication sources

-> default-sp -> IdP login page -> I use my credentials then it send me to https://.../module.php/core/authenticate.php?as=default-sp

with all the attributs etc. So it's working fine here when on Firefox

With the ohter browser I get the ERR_TOO_MANY_REDIRECTS page when I want to connect SSP as admin.

I didn't mention it but I'm using the SSP 1.19

I also have one question about the metadata. The documentation of SimpleSAMLphp Service Provider QuickStart say on step 4

Exchange metadata with the IdP. I  have filled the saml20-idp-remote.php with the metadata of my idp after converting them from xml but what about

the metadata of my SP ? I have them but don't know what to do with it. The documentation says :

"In order to complete the connection between your SP and an IdP, you must exchange the metadata of your SP with the IdP. The metadata of your SP can be found in the Federation tab of the web interface. Copy the SAML 2.0 XML Metadata document automatically generated by SimpleSAMLphp and send it to the administrator of the IdP. You can also send them the dedicated URL of your metadata, so that they can fetch it periodically and obtain automatically any changes that you may perform to your SP."

But don't know how to use it in my IdP configuration. All I did is set an entityID and a replyURL.

Also seems like the replyURL is taken from the SP request and not from the IdP else SSP's built in web page should not work since on my IdP the replyURL is set to my index.php and not on SSP folder?

[Peter Schober]

* Oliver G <o3.wes...@gmail.com> [2021-02-04 16:19]:

> The problem is my IdP send me back to my SP without asking for my
> credentials if ForceAuthn is not set and
> isAuthenticated false and getAttributes empty. If ForceAuthn is set, my IdP
> ask me to login but when it send
> me back to my SP isAuthenticated still false and getAttributes empty.

That's not "a problem" (that your IDP doesn't ask your for credentials
when you don't set ForceAuthn), that's called SSO and usually what
people want.
Also it has nothing to do with isPassive nor should any of that affect
what data the IDP will return or how SSP handles a resulting new session.

> When I try with SSP's built in web page. I see this behaviour:

> - On Edge & Chrome I got : ERR_TOO_MANY_REDIRECTS

No idea how you would manage to achieve that with only these browsers
(SameSite?) but (only) you can check those redirects, e.g. using the
SAMLtracer browser extension (though none of its SAML-decoding
features are required here).

> With the ohter browser I get the ERR_TOO_MANY_REDIRECTS page when I
> want to connect SSP as admin.

Only using admin auth, not even an external IDP?
That sounds like a server misconfiguration then.

> But don't know how to use it in my IdP configuration. All I did is
> set an entityID and a replyURL.

By definition that depends on the IDP implementation.
Some IDPs simply don't support SAML 2.0 Metadata for configuration,
they force you to understand and "parse" the SP's configuration
details and enter them into some GUI or web UI on the IDP side, often
with made-up/proprietary/abitrary terminology (so you'll have to guess
what they're actually asking for, when there's a standardized,
machine-readable format that avoids all that).

Case in point "replyURL" is not a technical term with a definition in
SAML. It's probably one of the ACS URL for the SP but then with what
protocol binding? (Being nit-picky here, for WebSSO the binding will
always be HTTP-POST.)

> Also seems like the replyURL is taken from the SP request and not
> from the IdP else SSP's built in web page should not work since on
> my IdP the replyURL is set to my index.php and not on SSP folder?

Per the SAML spec (profiles, 4.1.4.1, lines 594-597 in "merged":
https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf)
the IDP must verify the URL it recieved as part of the authn request
(sent by the SP, or by some other, possibly nefarious, party).
Provisioning that URL to the IDP out-of-band (whether manually or
automatically via SAML 2.0 Metadata) allows the IDP to do that.

For continued discussion I'd recommend to limit your questions to one
speific thing and then open another thread about all the other things
in SAML you're wondering about.

-peter

[Oliver G]

Thank you for your answers.

If I have others questions I will open new thread as suggested.

For this current topic, I think you may have a point with a server misconfiguration. I will search

more in this way.

We had a misunderstanding about the problem. That my IDP doesn't ask me for credentials

when I don't set ForceAuthn isn't the problem. The problem is that the functions isAuthenticated()

return false and getAttributes() return an empty array regardless of asking credentials with

ForceAuthn parameter.

I talked about the parameter ForceAuthn is because if I'm not asked for credentials maybe i'm not

logged in so it's normal that isAuthenticated() is false.

[Peter Schober]

* Oliver G <o3.wes...@gmail.com> [2021-02-04 17:33]:

> For this current topic, I think you may have a point with a server
> misconfiguration. I will search more in this way.

You could share your technical deployment and configuration details.

> We had a misunderstanding about the problem. That my IDP doesn't ask
> me for credentials when I don't set ForceAuthn isn't the
> problem. The problem is that the functions isAuthenticated() return
> false and getAttributes() return an empty array regardless of asking
> credentials with ForceAuthn parameter.

That's exactly my point: ForcedAuth or not doesn't factor into this at all.

> I talked about the parameter ForceAuthn is because if I'm not asked
> for credentials maybe i'm not logged in so it's normal that
> isAuthenticated() is false.

No. ForcedAuth has nothing to do with your session on the SP side once
you return from the IDP. It's specific to the IDP.

-peter

[Oliver G]

The server that host my web application (the SP) is an AWS Amazon EC2 instance on linux.

The web server software is nginx.

I added in the nginx configuration file these lines as indicated in the SSP documentation:

location ^~ /simplesamlphp {

alias /var/www/html/simplesamlphp/www;

# The prefix must match the baseurlpath configuration option

location ~ ^(?<prefix>/simplesamlphp)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {

include fastcgi_params;

fastcgi_pass php-fpm;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$phpfile;

# Must be prepended with the baseurlpath

fastcgi_param SCRIPT_NAME /simplesamlphp$phpfile;

fastcgi_param PATH_INFO $pathinfo if_not_empty;

}

}

I had to make a slight modification because the script in the documentation didn't work.

I don't know what other information may be relevant. I never had to modify web server configuration

before and I'm a bit lost on this.

[Peter Schober]

* Oliver G <o3.wes...@gmail.com> [2021-02-05 09:24]:

> I added in the nginx configuration file these lines as indicated in
> the SSP documentation:

I never used Nginx with PHP (or vice versa) so maybe someone else can
help here.

> I had to make a slight modification because the script in the
> documentation didn't work.

Again, zero technical content. What script? What exactly didn't work
and how did you fix it? Obviously you seem to prefer the documentation
to remain broken?

> I don't know what other information may be relevant.

I already suggested to look at the "too many redirects" loop and what
tool to use.
Only you can debug this (since the loop requires logging in at the
IDP, which the people here cannot do for you):
You're looking for a mismatch between HTTP "Cookie" response headers
sent from your web server to your browser and the host name your
browser accesses each time.
Also compare this with the "baseurlpath" in your SSP config.php.

-peter

[Oliver G]

Sorry if I'm not clear enough. I was referring to the script that is given in the documentation.

location ^~ /simplesaml {

alias /var/simplesamlphp/www;

location ~ ^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {

include          fastcgi_params;

fastcgi_pass     $fastcgi_pass;

fastcgi_param SCRIPT_FILENAME $document_root$phpfile;

# Must be prepended with the baseurlpath

fastcgi_param SCRIPT_NAME /simplesaml$phpfile;

fastcgi_param PATH_INFO $pathinfo if_not_empty;

}

}

This is the script given for nginx config and it's not broken since for many users it works well as I've read in other posts.

Don't know why it's not working for me. I'm still going through the nginx documentation to better understand how its config file works. We can leave that aside for now.

Yes I installed SAML-tracer to chrome but couldn't use it yet because since this morning my site sends me an error 504 Gateway Time-out.

A mismatch between HTTP "Cookie" response headers and the host name? Thanks, I will look for it.

The "baseurlpath" in my SSP config.php is still the default path I set for SSP installation. It look like "https://my-web-site/simplesamlphp/"

Maybe I had to remove "simplesamlphp/' from it since my SP is my index.php located at "https://my-web-site/" ?

Thank you for your help and patience Peter.

[Peter Schober]

* Oliver G <o3.wes...@gmail.com> [2021-02-05 15:35]:

> Sorry if I'm not clear enough. I was referring to the script that is
> given in the documentation.

That's not a "script" (in the convensional sense), but anway:

> This is the script given for nginx config and it's not broken since
> for many users it works well as I've read in other posts.

Since noone ever supplies specifics (partially due to none of this
being SimpleSAMLphp issues, but probably mostly because people are
lazy/selfish/ignorant/busy) such as exact versions used that's
possible though obviously I can't explain why that would be the case.

> The "baseurlpath" in my SSP config.php is still the default path I
> set for SSP installation. It look like
> "https://my-web-site/simplesamlphp/"
> Maybe I had to remove "simplesamlphp/' from it since my SP is my index.php
> located at "https://my-web-site/" ?

It has to be set to the base path where the "www" directory from the
SimpleSAMLphp distribution is available on the web. The documentation
should cover this.
(E.g., I usually make SSP available as /saml or /ssp on my servers.)

-peter

[Marco Ferrante]

Hi,
try to use a store.type other than phpsession (usually sqlite works
fine in developing environment) and then trace the browser with the
SAML-tracer plugin or similar.

The symptoms are typical of either an interference between ssp and other
application session or some inconsistencies in paths of cookie/ssp
config/metadata/acs.

> SP can be found in the /Federation/ tab of the web interface. Copy the

> --
> This is a mailing list for users of SimpleSAMLphp, not a support
> service. If you are willing to buy commercial support, please take a
> look here:
>
> https://simplesamlphp.org/support <https://simplesamlphp.org/support>
>
> Before sending your question, make sure it is related to SimpleSAMLphp,
> and not your web server's configuration or any other third-party
> software. This mailing list cannot help with software that uses
> SimpleSAMLphp, only regarding SimpleSAMLphp itself.
>
> Make sure to read the documentation:
>
> https://simplesamlphp.org/docs/stable/
> <https://simplesamlphp.org/docs/stable/>
>
> If you have an issue with SimpleSAMLphp that you cannot resolve and
> reading the documentation doesn't help, you are more than welcome to ask
> here for help. Subscribe to the list and send an email with your
> question. However, you will be expected to comply with some minimum,
> common sense standards in your questions. Please read this carefully:
>
> http://catb.org/~esr/faqs/smart-questions.html
> <http://catb.org/~esr/faqs/smart-questions.html>
> ---
> You received this message because you are subscribed to the Google
> Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/simplesamlphp/8773686c-3d88-4293-ba44-ed8459042242n%40googlegroups.com
> <https://groups.google.com/d/msgid/simplesamlphp/8773686c-3d88-4293-ba44-ed8459042242n%40googlegroups.com?utm_medium=email&utm_source=footer>.

--
Marco Ferrante (ma...@csita.unige.it)
Caposervizio e-learning, multimedia e strumenti web
https://www.aulaweb.unige.it/
tel. 010 209-51521

Università degli Studi di Genova
c/o Palazzo Serra, Piazza Santa Sabina, 2
16124 Genova GE (Italy)
mailto: st...@aulaweb.unige.it

[Oliver G]

Thank you for all your answers.

You have been very helpful.

I will continue to search on my own.

Regards,