Help with Configuration of Idp and SP on same machine

[Gary Gies]

I have been struggling with this for a few days and am finally going to ask for help :(

I have installed simplesaml on my linux server here at home.

I have it configured via dyanmic dns to be found at https://www.foreverhomeimprovements.com/simplesaml

I have successfully configured it as a SP and have used https://openidp.feide.no as an Idp.

I then wanted to try out having a SP and IdP on my linux server.

Note all testing is done from my browser on this linux server which is known externally as "www.foreverhomeimprovements.com" (dns) and internally as "ultimatelinux" (by my /etc/hosts file)

I read in the documentation that if you have the SP and Idp on the same machine you need to configure them with different hostnames.  Thus, my SP is known as www.foreverhomeimprovements.com and my Idp is known as ultimatelinux.

I get the following error message when trying to authenticate via clicking the button at https://www.foreverhomeimprovements.com/simplesaml/example-simple/saml2-example.php

Unable to locate metadata for 'https://www.foreverhomeimprovements.com/simplesaml/saml2/sp/metadata.php' in set 'saml20-sp-remote'.

#0 /var/simplesamlphp/www/saml2/idp/SSOService.php(77): SimpleSAML_Metadata_MetaDataStorageHandler->getMetaData('https://www.for...', 'saml20-sp-remot...')

#1 {main}			

I have configured https://www.foreverhomeimprovements.com to be the SP (I think).

My saml2-sp-remote.php looks like this

<?php
$metadata = array(

    'ultimatelinux' => array(
         'AssertionConsumerService' => 'https://ultimatelinux/simplesaml/saml2/sp/AssertionConsumerService.php',
         'SingleLogoutService'      => 'https://ultimatelinux/simplesaml/saml2/sp/SingleLogoutService.php'
    ),

    'www.foreverhomeimprovements.com' => array(
         'AssertionConsumerService' => 'https://www.foreverhomeimprovements.com/simplesaml/saml2/sp/AssertionConsumerService.php',
         'SingleLogoutService'      => 'https://www.foreverhomeimprovements.com/simplesaml/saml2/sp/SingleLogoutService.php'
                           ),
);
?>

I must be missing something really simple ...

Any help would be appreciated.

The log output is below.

Gary

Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] idpDisco.saml20: Accessing discovery service.
Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] idpDisco.saml20: returnIdParam initially set to [idpentityid]
Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] idpDisco.saml20: isPassive initially set to [FALSE]
Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] idpDisco.saml20: getSelectedIdP() returned NULL
Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] idpDisco.saml20: Preferred IdP from previous use [https://ultimatelinux].
Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] Template: Reading [/var/simplesamlphp/dictionaries/disco.php]
Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] Template: Adding inline language translation for tag [idpname_https://ultimatelinux]
Sep 15 16:18:09 localhost simplesamlphp[27138]: 6 [7dc4d19ba2] Template: Adding inline language translation for tag [idpdesc_https://ultimatelinux]
Sep 15 16:18:51 localhost simplesamlphp[27135]: 6 [7dc4d19ba2] idpDisco.saml20: Accessing discovery service.
Sep 15 16:18:51 localhost simplesamlphp[27135]: 6 [7dc4d19ba2] idpDisco.saml20: returnIdParam initially set to [idpentityid]
Sep 15 16:18:51 localhost simplesamlphp[27135]: 6 [7dc4d19ba2] idpDisco.saml20: isPassive initially set to [FALSE]
Sep 15 16:18:51 localhost simplesamlphp[27135]: 6 [7dc4d19ba2] idpDisco.saml20: Choice made [https://ultimatelinux] Setting cookie.
Sep 15 16:18:51 localhost simplesamlphp[27135]: 6 [7dc4d19ba2] idpDisco.saml20: Choice made [https://ultimatelinux] (Redirecting the user back. returnIDParam=idpentityid)
Sep 15 16:18:51 localhost simplesamlphp[27136]: 6 [7dc4d19ba2] SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script
Sep 15 16:18:51 localhost simplesamlphp[27136]: 6 [7dc4d19ba2] SAML2.0 - SP.initSSO: SP (https://www.foreverhomeimprovements.com/simplesaml/saml2/sp/metadata.php) is sending AuthNRequest to IdP (https://ultimatelinux)
Sep 15 16:18:51 localhost simplesamlphp[27138]: 6 [80fe33ab10] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Sep 15 16:18:51 localhost simplesamlphp[27138]: 3 [80fe33ab10] /simplesaml/saml2/idp/SSOService.php - UserError: ErrCode:PROCESSAUTHNREQUEST: Unable+to+locate+metadata+for+%27https%3A%2F%2Fwww.foreverhomeimprovements.com%2Fsimplesaml%2Fsaml2%2Fsp%2Fmetadata.php%27+in+set+%27saml20-sp-remote%27.
Sep 15 16:18:51 localhost simplesamlphp[27138]: 6 [80fe33ab10] Template: Reading [/var/simplesamlphp/dictionaries/errors.php]

[Olav Morken]

On Tue, Sep 15, 2009 at 16:27:42 -0400, Gary Gies wrote:
[...]

> I read in the documentation that if you have the SP and Idp on the same
> machine you need to configure them with different hostnames. Thus, my SP is
> known as www.foreverhomeimprovements.com and my Idp is known as
> ultimatelinux.
>
> I get the following error message when trying to authenticate via clicking
> the button at
> https://www.foreverhomeimprovements.com/simplesaml/example-simple/saml2-example.php
>
> Unable to locate metadata for '
> https://www.foreverhomeimprovements.com/simplesaml/saml2/sp/metadata.php' in
> set 'saml20-sp-remote'.

[...]

> I have configured https://www.foreverhomeimprovements.com to be the SP (I
> think).
>
> My saml2-sp-remote.php looks like this
>
> <?php
> $metadata = array(
>
> 'ultimatelinux' => array(

[...]

>
> I must be missing something really simple ...

The problem is that your saml2-sp-remote.php file doesn't contain the
metadata for your SP. From the IdPs point of view, your SP is a remote
SP with the entity id 'https://www.foreverhomeimprovements.com/simplesaml/saml2/sp/metadata.php'.

Your saml2-sp-remote.php file should therefore contain a reference to
that SP. Something like:

$metadata = array(
'https://www.foreverhomeimprovements.com/simplesaml/saml2/sp/metadata.php' => array(
...,
),
);

Conversely, your SP needs the metadata for your IdP in its remote metadata
file ('saml2-idp-remote.php'). This part appears to be correct, since the
error message was generated by the IdP.

--
Olav Morken

[Gary Gies]

Thank you.  That worked perfectly.

I knew it was something easy.

[Shirlei Chaves]

Hi Guys!

I'm having a similar problem and digging the net I found this old post... Could some of you help me if this config is still valid for simplesamlphp 1.13?

I am trying to connect a shib sp, so I`ve configured the file shib13-sp-remote.php like the following:

$metadata['https://<IP>/shibboleth-sp2'] = array(

        'https://<IP>/Shibboleth.sso/Metadata' => array(

                'name' => array(

                        'pt_br' => 'Portal Institucional',

                        'en' => 'Institution Portal',

                ),

                'AssertionConsumerService' => 'http://<IP/Shibboleth.sso/SAML/POST',

                'audience'                 => 'urn:mace:feide:shiblab',

                'base64attributes'         => FALSE,

)

);

But when I select the idp to connect, I ended up in the simplesamlphp page saying:

Metadata not found

Unable to locate metadata for 'https://<IP/shibboleth-sp2'

This is most likely a configuration problem on either the service provider or identity provider.

If I connect as administrator, in the simplesamlphp admin page, I can see the shib Idp listed, in the "Shib 1.3 SP Metadata (Trusted)" section. If I click on it, I see a page with its metadata.

Any help would be really apreciated.

Thank you!