Simplesaml + Microsoft multi-tenant not working for external organisation email account

[gam...@gmail.com]

Hello all,

I have setup simplesaml for my application and the following is my problem:

1. Single Sign On (SSO) works for users in my microsoft azure AD.
2. I enabled Multi-Tenant in my application configuration on Microsoft Azure
3. SSO fails for users who are not in my AD with "Bad request error".
4. I contacted Microsoft and we did a trace and it is evident that the users do not hit the endpoints for multi-tenant so they suggested these endpoints:
   a. https://login.microsoftonline.com/external users home tenant guid/saml2?SAMLRequest
   b. https://login.microsoftonline.com/common/saml2?SAMLRequest

I then modified simplesamlphp/metadata/saml20-idp-remote.php entered endpoint "b" from Microsoft for both SingleSignOnService and SingleLogoutService.

(How do I need to use or configure this endpoint?)

Now the external login works but crashes after the user is authenticated and shows the simplesaml error page with this information:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/www/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP 'https://sts.windows.net/815abe80-2b90-467c-ac5e-b8849851356f/' because it isn't a valid IdP for this SP.
Backtrace:
2 /var/www/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:112 (sspmod_saml_Auth_Source_SP::getIdPMetadata)
1 /var/www/simplesamlphp/modules/saml/www/sp/saml2-acs.php:91 (require)
0 /var/www/simplesamlphp/www/module.php:137 (N/A)

Kindly help.

Best regards,
Manny.

[Peter Schober]

* gam...@gmail.com <gam...@gmail.com> [2017-02-20 16:22]:

> I have setup simplesaml for my application and the following is my problem:
>

> 1. Single Sign On (SSO) works for users in my microsoft azure AD.

With "AD" you mean ADSF, in this case used as a SAML 2.0 Identity Provider?
Otherwise I don't understand who the actors are and in what role.
The error message seems rather clear to me: SSP (acting as SAML SP)
doesn't know about a SAML IDP by the name reported.
-peter

[gam...@gmail.com]

Hello Peter,

Bullet point 1 is not the problem. Bullet point 1: Is about users in my organisation - they are able to login into my application using their Office 365 email accounts.

Now the problem

-----------------------

You have 2 users who want to login into my application using the Office 365 accounts e.g. user1@my_organisation.com and user2@your_organisation.com

Since the application is originally configured on my_organisation.com Azure AD, user1 logs in successfully but user2 gets the error shared above.

Bottom line how do you configure your multi-tenant application to work with simpleSAMLphp? Using the information I have given in my original post.

[Peter Schober]

* gam...@gmail.com <gam...@gmail.com> [2017-02-20 17:28]:

> Bullet point 1 is not the problem.

*My* problem is trying to understand what any of this means wrt
SimpleSAMLphp and SAML specifically:
To me "AD" is short for "an implementation of an LDAP Directory
Service Agent, by Microsoft Corporation". But then it doesn#t make
much sense to talk about "SSO" when all you have is an application
(run locally by you, I believe) and an LDAP server (run on Microsoft's
computers, I believe).
This is why I asked whether you meant "AD" short for "ADFS", which to
me means "an implementation of a SAML 2.0 entity speaking the SAML 2.0
protocol, by Microsoft Corporation".

But since I can't even get my most basic question across there is
little chance anything I say or do will help you solve your problem.

> Bottom line how do you configure your multi-tenant application to
> work with simpleSAMLphp? Using the information I have given in my
> original post.

I would say you follow (or demand from) the vendor generic
instructions in specific terms as defined in the SAML 2.0
specification, detailing who has to send what standardized request
where exactly.
Once you know *what* the vendors wants you to do, this list can help
you to determine *how* to do that with SimpleSAMLphp.
-peter

[gam...@gmail.com]

Hello Peter,

Thanks for your response again.

I am not conversant with the technical terms in setting up Microsoft SSO, the best I can do is explain what I'm working on or doing.

I have an application (not on local machine) on a hosted server.

I have downloaded and installed simplesaml also on the server.

I followed a toturial to get the metadata from my application on Microsoft Azure AD (Active Directory) and configured federated metadata for simplesaml.

I configured simplesaml config.php and authsource.php to enable internal users to be able to login using their Office 365 account (successful).

So aside my own authentication and authorisation process on my app, new users who are not part of my orgainsation can login using their Microsoft account.

Therefore Microsoft SSO service is responsible for authentication and when simplesaml redirects them back to my app I check for authorisation or authorise them and log them into my app.

This is in simple terms how my flow is, I'm sorry if I cannot use all the technical terms involved but in simple terms this is the flow.

With this explanation I hope my initial post  and subsiquent ones are clearer.

Best regards,

Manny.

[gam...@gmail.com]

Hello Peter,

The link below should explain the type of setup I've done.

http://www.lewisroberts.com/2015/09/05/single-sign-on-to-azure-ad-using-simplesamlphp/

I hope this gives you an idea and you understand my post.

Kindly note that this is working for my internal users at the moment. However, though I have enabled Multi-Tenant option on microsoft Azure I get the error I sent in my original post.

Best regards,

Manny.

[Patrick Radtke]

Where are you getting Azure AD IdP metadata from?

According to MS documentation (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadata) you should use https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml

You would then set the IdP in your authsource to what is from that document.

If the SAML response from Azure AD is using a different IdP entityId then it sounds like MS has some bugs in their multi-tenant SAML setup.

-Patrick

[Mawunyo Awoonor]

Hello Patrick,

I got my initial Azure IdP metadata from Azure classic portal when I created an application under the Active Directory. Then under the "View Endpoints" in Azure classic portal I picked the federated endpoint. 

I just used the xml suggested above from the microsoft documentation to generate a new metadata from https://mydomain/simplesamlphp/admin/metadata-converter.php and updated this file with the output ../simplesamlphp/metadata/saml20-idp-remote.php.

What has changed (nothing really):

1. Internal logins are still successful (accounts in my Azure AD)

2. External logins successful however the error in my initial post still happens i.e. Caused by: SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP 'https://sts.windows.net/815abe80-2b90-467c-ac5e-b8849851356f/' because it isn't a valid IdP for this SP.

Kind regards,

Emmanuel.

[gam...@gmail.com]

Hello Patrick,

I got my initial Azure IdP metadata from Azure classic portal when I created an application under the Active Directory. Then under the "View Endpoints" in Azure classic portal I picked the federated endpoint. 

I just used the xml suggested above from the microsoft documentation to generate a new metadata from https://mydomain/simplesamlphp/admin/metadata-converter.php and updated this file with the output ../simplesamlphp/metadata/saml20-idp-remote.php.

What has changed (nothing really):

1. Internal logins are still successful (accounts in my Azure AD)

2. External logins successful however the error in my initial post still happens i.e. Caused by: SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP 'https://sts.windows.net/815abe80-2b90-467c-ac5e-b8849851356f/' because it isn't a valid IdP for this SP.

Kind regards,

Emmanuel.

[Jaime Perez Crespo]

Hi Emmanuel,

I don’t know much about the jargon used by Microsoft either (so for example I don’t know what “Microsoft SSO” means, but I would assume it’s how they named their SAML2 implementation to add a bit of confusion). In any case, what you are describing sounds like a setup with two different IdP’s, one for your local users, and another for external users. If that’s the case, you need to import metadata for *both*, instead of changing metadata for one to look like the other. Get the metadata for both SAML2 Identity Providers (“internal" and "external”), parse it with the metadata converter, and paste the results to the metadata/saml20-idp-remote.php file.

On 21 Feb 2017, at 10:40 AM, gam...@gmail.com wrote:
> Hello Patrick,
>
> I got my initial Azure IdP metadata from Azure classic portal when I created an application under the Active Directory. Then under the "View Endpoints" in Azure classic portal I picked the federated endpoint.
>
> I just used the xml suggested above from the microsoft documentation to generate a new metadata from https://mydomain/simplesamlphp/admin/metadata-converter.php and updated this file with the output ../simplesamlphp/metadata/saml20-idp-remote.php.
>
> What has changed (nothing really):
> 1. Internal logins are still successful (accounts in my Azure AD)
> 2. External logins successful however the error in my initial post still happens i.e. Caused by: SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP 'https://sts.windows.net/815abe80-2b90-467c-ac5e-b8849851356f/' because it isn't a valid IdP for this SP.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[gam...@gmail.com]

Hello Jaime,

Thank you for your response. 

Since any random user with microsoft credentials can come to the app and try to register and login, it will be difficult to get their federated endpoint and parse the metadata.

Is there a way to configure simplesaml to dynamically use the IpP microsoft sends back after successful login? 

Thank you.

Best regards,

Emmanuel.

PS: I think by SSO they mean Single Sign-On.

[pat...@cirrusidentity.com]

On Wednesday, February 22, 2017 at 8:50:18 AM UTC-8, gam...@gmail.com wrote:

Hello Jaime,

Thank you for your response. 

Since any random user with microsoft credentials can come to the app and try to register and login, it will be difficult to get their federated endpoint and parse the metadata.

Is there a way to configure simplesaml to dynamically use the IpP microsoft sends back after successful login? 

Not as a configuration option. You could create your own metadata source that would dynamically pull down the appropriate federation metadata from MS based on the entityId. Azure AD does key rotation and the metadata changes, so you still may run into issues.

A simpler option may be to use the authwindowslive module. MS added support to Live login to allow Azure AD/O365 users to login. It is enabled by default when you register your API credentials/app with Windows Live.

-Patrick

-Patrick

[Jaime Perez Crespo]

Hi,

On 22 Feb 2017, at 17:50 PM, gam...@gmail.com wrote:
> Hello Jaime,
>
> Thank you for your response.
> Since any random user with microsoft credentials can come to the app and try to register and login, it will be difficult to get their federated endpoint and parse the metadata.
> Is there a way to configure simplesaml to dynamically use the IpP microsoft sends back after successful login?

I think there might some misunderstanding here (and it’s probably on my side). What do you mean by IpP? Is that a typo for IdP? If that’s the case, an IdP is an Identity Provider (i.e. Microsoft), not something you send back and forth. You are not supposed to exchange metadata and establish trust for every user. You establish trust with *one* party (i.e. Microsoft here) once by exchanging metadata (and probably by consuming it periodically, but let’s not go down that path yet). When trust is established between the two parties, then you just accept SAML responses coming back from the IdP assertion information about individuals. But you need to establish that trust first by exchanging metadata. You can trust multiple IdPs at the same time, of course. In your case, one for your internal users, one for “external”.

If they have multiple, random IdPs for their users, and there’s no way for you to know the entityID of the IdP sending assertions to you, well, that would be horribly wrong and broken, so I don’t think that’s the case.

> PS: I think by SSO they mean Single Sign-On.

Yeah, I got that. What puzzles me is the “Microsoft” in front. As far as I know, they are just implementing SSO using the SAML2 standard (well, some parts of it at least). What’s confusing me is their “branding” of something that’s not their own, alongside their renaming of concepts and common language, making it impossible for you to understand (or use) the language the rest of us use, and the other way around. None of that being your fault, of course :-)

[e...@ki.uk]

Hello Jaime and Patrick,

Is there a free support or commercial support for simplesamlphp.

I would like to call or have someone call me to review my setup.

I'm new to this Azure + simplesamlphp setup and not getting far with all the help you all have given me so far.

Best regards,

Emmanuel.

[Federatieve Services - GDI]

Hey Emmanuel,

 

There are several companies that offer commercial support.

See https://simplesamlphp.org/support for this.

 

- Tim

This email and the information it contains is confidential and may be legally privileged and intended solely for the use of the individual or entity to whom it is addressed. If you have received this email in error please notify me immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. You should not copy it for any purpose, or disclose its contents to any other person. Internet communications are not secure and, therefore, the Company does not accept legal responsibility for the contents of this message as it has been transmitted over a public network. If you suspect the message may have been intercepted or amended please notify me. Finally, the recipient should check this email and any attachments for the presence of viruses. the Company accepts no liability for any damage caused by any virus transmitted by this email. Thank you.

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

---

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.