Caused by: SimpleSAML_Error_Exception: URL not allowed:

[Володимир Олійник]

Hi ,everyone

All work fine, but when I push Workplace logout button , it redirect me to https://ssp.somesite.com/simplesaml/saml2/idp/SingleLogoutService.php?ReturnTo=https%3A%2F%2Fcrm.somesite.com%2Fuser%2Flogout

with error text:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: SimpleSAML_Error_Exception: URL not allowed: https://crm.somesite.com/user/logout
Backtrace:
1 lib/SimpleSAML/Utils/HTTP.php:375 (SimpleSAML\Utils\HTTP::checkURLAllowed)
0 www/saml2/idp/SingleLogoutService.php:20 (N/A)

Case,all work fine, but sso logout not work fine:

crm.somesite.com  as IdP

ssp.somesite.com as  simplesaml

work-someid.facebook.com as SP

How I can do this domain crm.somesite.com as allowed  ?

Thanks

[Tim van Dijen]

How I can do this domain crm.somesite.com as allowed  ?

Just add it to trusted.url.domains in config.php

[Володимир Олійник]

thank you, it help me.

[Jaime Perez Crespo]

Hi,

On 14 Nov 2017, at 10:16 AM, Tim van Dijen <tvd...@gmail.com> wrote:
>> How I can do this domain crm.somesite.com as allowed ?
>
> Just add it to trusted.url.domains in config.php

Just a comment on this. All domains available in the endpoints registered in the metadata are automatically and transparently whitelisted, so it is not necessary to add domains for remote IdPs / SPs to the list of trusted URL domains.

If doing so is necessary to make things work, that must mean that SimpleSAMLphp is somehow misconfigured.

—
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Greg Harvey]

Sorry, I know this is an old thread, but just an addition to this that may help future searchers:

If your SP / IdP uses a non-standard port (in my case I had a CI server on port 8443) it seems the automatic addition of the trusted URL as described by Jaime doesn't work. I presume (without checking) it adds the domain, but not the port - but the matching seems to happen against the entire address *including port*, so this fixed it for me:

    'trusted.url.domains' => array(

        # When using a port other than 443 you need to explicitly trust the domain with port

        'myserver.mydomain.net:8443',

    ),

Thanks,

Greg

[Jaime Pérez Crespo]

Hi Greg,

On 19 Jul 2019, at 13:38, Greg Harvey <greg....@gmail.com> wrote:
> Sorry, I know this is an old thread, but just an addition to this that may help future searchers:
>
> If your SP / IdP uses a non-standard port (in my case I had a CI server on port 8443) it seems the automatic addition of the trusted URL as described by Jaime doesn't work. I presume (without checking) it adds the domain, but not the port - but the matching seems to happen against the entire address *including port*, so this fixed it for me:
>
> 'trusted.url.domains' => array(
> # When using a port other than 443 you need to explicitly trust the domain with port
> 'myserver.mydomain.net:8443',
> ),

If you are running your web server on a non-standard port, then it will be added as well. I’d check the “baseurlpath” configuration option to make sure the port is not overridden there.