Configuration of a IDP proxy

[Marc Carrion]

I'm trying to configure one SimpleSAMLPHP instance to behave as an IDP proxy. 

I'm using docker containers with Apache and SimpleSAMLPHP (/var/simplesamlphp (1.15.4)

There are two instances called IDP01 and IDP02. Both are configured as IDP and they use example-userpass to authenticate users. You can login to IDP01 as 'marc', and you can login to IDP02 as 'john'. This is tested and working.

There is an instance of an SP, SP01 that uses the default-sp authentication against IDP01. I can login as 'marc' and it's working.

Then there is the instance that is supposed to be the proxy. I called it SAMLPROXY, and it is configured to use both IDP01 and IDP02. When I test the authentication sources from the UI, it works. I can pick IDP01 or IDP02 from a dropwdown, and I can only authenticate with the right user in each.

So far everything seems to be working until this point.

I create a new instance SP, this is the one that should use SAMLPROXY as its IDP. 

When I try to test default-sp authentication on SP, I get the following error:

Unhandled exception

An unhandled exception was thrown.

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator:

08da16bb39

Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: SimpleSAML_Error_Exception: No such "example-userpass" auth source found.
Backtrace:
2 lib/SimpleSAML/IdP.php:108 (SimpleSAML_IdP::__construct)
1 lib/SimpleSAML/IdP.php:139 (SimpleSAML_IdP::getById)
0 www/saml2/idp/SSOService.php:17 (N/A)

I am not configuring the example-userpass source in either the SP or the SAMLPROXY instances. At this point, I would expect the default-sp authentication from SAMLPROXY to give me the dropdown with the IDPs configured in SAMLPROXY (IDP01 and IDP02). But I get this error instead.

If I enable the example-userpass in SAMLPROXY, then I can authenticate, but it's not using IDP01 or IDP02, just the users I define in the example-userpass section in authsources.php in the SAMLPROXY instance.

Is this a bug? or is there extra configuration that I'm missing to enable this 'proxy' behavior?

Thanks!

Marc

[Marc Carrion]

I may have found the step that I was missing:

https://github.com/cirrusidentity/ssp-proxy-tutorial/tree/master/3_Proxy_Setup

"To enable proxy mode you need to tie the SP and IdP together. You can do this by editing the IdP metadata file and setting the auth to the authsource name of the SP. Doing this will tell the IdP to use the SP side for authentication."

[pat...@cirrusidentity.com]

Hi Marc,

I agree - it sounds like you need to set your proxy IdP auth attribute to the name used in your proxy SP authsources file.

The tutorial you are using was created with SSP 1.14 but everything is still valid in how to set up a proxy.

- Patrick

[Marc Carrion]

Thanks Patrick, yes that took care of it, I have my setup properly working now.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[yingma]

Hi,

 

I'm wondering if SimpleSAMLPHP configured as IDP proxy can be used for decrypting encrypted SAML response from upstream IDP, and passing along the decrypted SAML to downstream SP without encryption. Our use case here is to integrate Amazon Cognito User Pool with Shibboleth IDP. Although Cognito User Pool supports SAML integration, it doesn’t seem to be able to decrypt the response from our Shib IDP, which is always encrypted. By putting the IDP proxy in between, in theory it could solve our problem. If I’m understanding how SimpleSAMLPHP behavior works as IDP Proxy correctly, this requires the SP side of the Proxy to decrypt the assertion from Shib IDP, so the IDP side of the Proxy can post to Cognito User Pool which acts as SP to the Proxy, assuming the metadata exchange happens correctly on both side. Is this doable? We are new to SimpleSAMLPHP so any insight will be very helpful.

 

Ying Ma

UCLA External Affairs

[Tom Scavo]

On Wed, Oct 17, 2018 at 11:47 AM yingma <yin...@g.ucla.edu> wrote:
>
> Our use case here is to integrate Amazon Cognito User Pool with Shibboleth IDP. Although Cognito User Pool supports SAML integration, it doesn’t seem to be able to decrypt the response from our Shib IDP, which is always encrypted. By putting the IDP proxy in between, in theory it could solve our problem.

Yes, that's true but it's probably not necessary. Why not simply
configure the Shibboleth IdP to not encrypt for this particular SP?

Tom

[Peter Schober]

* yingma <yin...@g.ucla.edu> [2018-10-17 17:47]:

> I'm wondering if SimpleSAMLPHP configured as IDP proxy can be used
> for decrypting encrypted SAML response from upstream IDP, and
> passing along the decrypted SAML to downstream SP without
> encryption. Our use case here is to integrate Amazon Cognito User
> Pool with Shibboleth IDP. Although Cognito User Pool supports SAML
> integration, it doesn’t seem to be able to decrypt the response from
> our Shib IDP, which is always encrypted. By putting the IDP proxy in
> between, in theory it could solve our problem.

First I'd make absolute sure that the SP in question cannot work with
encrypted assertions or reponses. (Probably by asking the vendor.)

Only if you find that the SP in fact is broken and does not support
encryption the obvious change to make is to configure the Shibboleth
IDP properly, i.e., to not encrypt anything to that specific SP.
There's certainly no need to stand up a whole IDP proxy!

See the "RelyingPartyByName Example" in the Shib docs for the simplest
case of turning off encryption for one SP or for a manually managed
list of SPs:
https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration#RelyingPartyConfiguration-Overrides
But there are many more ways to do that. This is not the list to
discuss them, though.

-peter

[YING MA]

Amazon cognito user pool itself is a IdP that handles authentication and authorization for all our apps either built on AWS or using AWS services. Cognito integrates with OAuth, OIDC and SAML IdPs. We are able to get integration working with social logins like google and facebook, but not with shibboleth. As far as we can tell the problem is the encrypted SAML assertion. The idea of setting up a SAML IdP proxy in front of Cognito is so that we can handle SAML assertions (and do stuff we need) from Shib IdP and possibly Shib IdP #2, #3 down the line. If at the same time this solves problem with encrypted assertion we’d prefer the assertion to be encrypted from SAML IdPs, as it’s likely that AWS will add encrypted SAML assertion support soon. SimpleSAMLPHP seems like a fit candidate for our use case, and if we can run it in container on AWS with auto scaling that'll address single point of failure issue too. 

Ying

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.