Getting SimpleSAML to show a wayf page

176 views
Skip to first unread message

Boudewijn Ector

unread,
Sep 17, 2009, 10:12:00 AM9/17/09
to simple...@googlegroups.com
Hi There,


I'm currently hacking on my multiple-authentication project , and I'd
like to use the IdP discovery page from SimpleSAMLphp in order to allow
the user to choose which IdP to use.


I'll just copy paste some authentication code from the current source:

$as = SimpleSAML_Auth_Source::getById($authId);
if ($as === NULL) {
throw new Exception('Invalid authentication
source: ' . $authId);
}

try {
$as->authenticate($state);
} catch (SimpleSAML_Error_Exception $e) {
SimpleSAML_Auth_State::throwException($state, $e);
} catch (Exception $e) {
$e = new
SimpleSAML_Error_UnserializableException($e);
SimpleSAML_Auth_State::throwException($state, $e);
}
self::loginCompleted($state);


This is fine, but I'd like SimpleSAMLphp to show the IdP discovery page
in order to change authId into a sensible value.

Can anybody tell me how to do so?
I've been grepping the source for a while, but it's not very clear to
me how this is actually done.

Cheers,

Boudewijn

Olav Morken

unread,
Sep 21, 2009, 2:27:43 AM9/21/09
to simple...@googlegroups.com

It is handled inside the saml (and saml2) authentication sources. They
will send the user to the discovery service page if no IdP is specified.

--
Olav Morken

Boudewijn Ector

unread,
Sep 23, 2009, 9:15:15 AM9/23/09
to simple...@googlegroups.com

>> This is fine, but I'd like SimpleSAMLphp to show the IdP discovery page
>> in order to change authId into a sensible value.
>>
>> Can anybody tell me how to do so?
>> I've been grepping the source for a while, but it's not very clear to
>> me how this is actually done.
>>
>
> It is handled inside the saml (and saml2) authentication sources. They
> will send the user to the discovery service page if no IdP is specified.
>
>
Hi Olaf,


Thank you for pointing that out.


So I see that I should create an sspmod_saml2_Auth_Source_SP object,
which I've done, but when calling the constructor of this Object, I need
to pass on some data.


From the java-doc like documentation at the contructor:

/**
* Constructor for SAML 2.0 SP authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/


Where to get these?

I've searched the sources for instantiation of such an object, but I
can't find one of these.

Can you please help me out?

Cheers,

Boudewijn Ector

Boudewijn Ector

unread,
Sep 23, 2009, 9:49:59 AM9/23/09
to simple...@googlegroups.com
In addition to this: I don't understand in what way such an
authentication should be done.
Should I create a Session first?

What's an appropriate flow for such a process?


Boudewijn

Olav Morken

unread,
Sep 24, 2009, 2:23:42 AM9/24/09
to simple...@googlegroups.com
On Wed, Sep 23, 2009 at 15:15:15 +0200, Boudewijn Ector wrote:
> So I see that I should create an sspmod_saml2_Auth_Source_SP object,
> which I've done, but when calling the constructor of this Object, I need
> to pass on some data.
>
>
> From the java-doc like documentation at the contructor:
>
> /**
> * Constructor for SAML 2.0 SP authentication source.
> *
> * @param array $info Information about this authentication source.
> * @param array $config Configuration.
> */
>
>
> Where to get these?
>
> I've searched the sources for instantiation of such an object, but I
> can't find one of these.

They are instantiated by SimpleSAML_Auth_Source::parseAuthSource(...).

--
Olav Morken

Olav Morken

unread,
Sep 24, 2009, 2:27:38 AM9/24/09
to simple...@googlegroups.com
On Wed, Sep 23, 2009 at 15:49:59 +0200, Boudewijn Ector wrote:
> In addition to this: I don't understand in what way such an
> authentication should be done.
> Should I create a Session first?

Sessions are created automatically on-demand.

> What's an appropriate flow for such a process?

Generally, you should not have to to call authsources yourself, but if
you are going to do it, take a look at the SimpleSAML_Auth_Default
class, which is the only current caller of the authentication sources.

--
Olav Morken

Stefano Gargiulo

unread,
Sep 24, 2009, 9:37:20 AM9/24/09
to simple...@googlegroups.com
This is fine, but I'd like SimpleSAMLphp to show the IdP discovery page
in order to change authId into a sensible value
Here there is the code that i used for getting the saml2 idp list and print it in a dojo combox for implement a custom discovery service:
http://kenai.com/projects/idemauth/sources/source/content/idemauth/com_idemauth/views/login/tmpl/default_login.php?rev=10

And this is the salient part to get the idp list and print out the values:

require_once('components'.DS.'com_idemauth'.DS.'simplesamlphp'.DS.'www'.DS.'_include.php');
028. 
029. 
030.$ssamlconfig = SimpleSAML_Configuration::getInstance();
031. 
032. 
033. 
034.$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
035.$metadataSet= $metadata->getList('saml20-idp-remote');






...
...
foreach($metadataSet as $key=>$value) {
113.$name=$key;
114.if (isset($value['name']["en"])){
115.$name=$value['name']["en"];
116.}
117.if (isset($value['name'][0])){
118.$name=$value['name'][0];
119.}
120.echo ",{name:\"".$value['entityid']."\",label:\"<img src='".$imgprefix."components/com_idemauth/resources/images/idem-small.png'/> ".$name." \"}";
121.}








I thinl that  it can be useful for what you want to do.

bye,
Stefano.

Boudewijn Ector ha scritto:

Boudewijn Ector

unread,
Sep 24, 2009, 11:12:31 AM9/24/09
to simple...@googlegroups.com
Stefano Gargiulo wrote:
>> This is fine, but I'd like SimpleSAMLphp to show the IdP discovery page
>> in order to change authId into a sensible value
> Here there is the code that i used for getting the saml2 idp list and
> print it in a dojo combox for implement a custom discovery service:


Thank you for the code, I'll have a look at it tonight.
A colleague of mine pointed me out that I could you the
saml2-example.php , which is located in www/example-simple/

So I read the code, and created this file (in modules/uca/www/index.php):

<?php
require_once('/home/boudewijn/SVN/PoC/ucp5/www/_include.php');

session_cache_limiter('nocache');

$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();

if (!$session->isValid('saml2') ) {
SimpleSAML_Utilities::redirect(
'/' . $config->getBaseURL() . 'saml2/sp/initSSO.php',
array('RelayState' => SimpleSAML_Utilities::selfURL())
);
}

/* Prepare attributes for presentation
* and call a hook function for organizing the attribute array
*/
$attributes = $session->getAttributes();
$para = array(
attributes' => &$attributes
);
SimpleSAML_Module::callHooks('attributepresentation', $para);
?>


When going to the appropriate URL (modules.php/uca/index.php) I see the
SSO page, and I can login to some other IdP (I've tested using 2 IdPs
which both work fine!). And after having logged in , I get redirected to
the same page.
This is fine (due to the RelayState stuff), but this implies that the
condition (!$session->isValid('saml2')) is not True, which means that
the sessions isn't okay (am I correct???).
Also, adding print_r($attributes); does not help.


The SP (ucp5.prutsnet.nl) is added to the saml20-sp-remote metadata file
on the IdP.

Can someone tell me what's going wrong?


The SP is located on :

https://ucp5.prutsnet.nl/modules.php/modules/uca/www/index.php so feel
free to try it yourself.

The IdP's un\pw combo (on ucp1.prutsnet.nl) is the student\studentpass
example, so it should work out fine.


Cheers,


Boudewijn Ector

Reply all
Reply to author
Forward
0 new messages