and again SimpleSaml as SP and ADFS as iDp problem

[Kostia Grebelsky]

Hi,

I have one client working using ADFS trying to configure another and no matter what we attempt cannot get 2 points to talk to each other.

If they attempt to initiate login, I get Session: 'xxxx-sp' not valid because we are not authenticated, if I attempt to test I get the same result. Redirecting to adfs login screen which is good so far. The problem is that once the user logs in (even though the user should have been already logged in with iDP first flow) I get 

"There was a problem accessing the site. Try to browse to the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem."

I do not believe I am getting a second hit after authentication, they claim they send it to SP end point.

On my side the only thing I had to do extra to create a new SP (remember I have this working for another client) was create a new end point, second authorization source, and import their metadata. for idp configuration entry,

One thing that is interesting to note is that unlike the client it is working for who imported SP metadata, they are not able to do this, which makes me think that something is not configured correctly.

Anything I can post to help figure out what the problem is? Anything I or they should check?

Thanks

[Peter Schober]

* Kostia Grebelsky <kos...@gmail.com> [2013-09-26 22:40]:

> Anything I can post to help figure out what the problem is? Anything
> I or they should check?

As far as SSP as an SP is concerned, the IdP implementation is
irrelevant. The SP needs SAML metadata (or SSP's own repreesentation
of that) for the IdP, and possibly configuring that IdP as default (to
avoid discovery), the rest are standardized protocol exchanges.
Without logs, conrete errors or anything technical specific to SSP I
don't see much to go on about.
-peter

[Kostia Grebelsky]

Here is what I get on the initial hit from IdP
Sep 27 09:04:46 simplesamlphp DEBUG [da1d06a14d] Session: 'xxxx-sp' not valid because we are not authenticated.
Sep 27 09:04:46 simplesamlphp DEBUG [da1d06a14d] Saved state: '_8e863f41aef1364d3a04d8eb1b8aac0900b0786e46'
Sep 27 09:04:46 simplesamlphp DEBUG [da1d06a14d] Sending SAML 2 AuthnRequest to 'http://adfs.xxxx-us.com/adfs/services/trust'
Sep 27 09:04:46 simplesamlphp DEBUG [da1d06a14d] Sending message:

Not much to go on, I know, but I would have expected the initial request to be authenticated. Clearly a correct authorization source is being attempted to be used. I am trying to get more info from IdP party. will post it as soon as I have it.

One of the errors they were getting is:

Exception: System.ArgumentException: The 'http://schemas.microsoft.com/ws/2009/12/identityserver/protocols/policystore' namespace is not defined.

I was not aware that we needed to register as SP provider of some kind? Or does this mean IdP does not have as register on their side correctly?