SimpleSAML_Error_NoState: NOSTATE in basic configuration

[Floe]

Hi,

I'm trying to implement an simple sso-server authentification. Both,
the IdP and the SP run on different server under the same subdoman
(.sso.domain.studio). Currently the prosess works as far:

1) enter Site without session
2) redirect to SP (initSSO.php)
3) redirect to IdP
4) login, if required
5) redirect to SP (saml2-acs.php)

Then I get the error "SimpleSAML_Error_NoState: NOSTATE".

My current configuration of IdP:

/config/config.php
============================================
...
'session.cookie.path' => '/',
'session.cookie.domain' => '.sso.domain.studio',
'session.phpsession.cookiename' => 'SSOSESSID',
...

/metadata/saml20-sp-remote.php
============================================

$metadata['https://sp.sso.domain.studio/simplesaml/saml2/sp/
metadata.php'] = array(
'AssertionConsumerService' => 'https://sp.sso.domain.studio/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
);

/metadata/saml20-idp-hosted.php
============================================
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
'auth' => 'example-userpass',
);
At the SP side I link simplsamlphp as alias "simplsaml" into the
original v-host. The index.php code is taken from the 'saml2-
example.php'. Here I set the RelayState to this file again.

/config/config.php
============================================
...
'session.cookie.path' => '/',
'session.cookie.domain' => '.sso.domain.studio',
'session.phpsession.cookiename' => 'SSOSESSID',
...


/config/authsources.php
============================================
$config = array(
'default-sp' => array(
'saml:SP',
'entityID' => NULL,
'idp' => 'https://test.sso.domain.studio/simplesaml/saml2/idp/
metadata.php',
'discoURL' => NULL,
),

/metadata/saml20-idp-remote.php
============================================
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
'RelayState' => 'https://sp.sso.domain.studio/index.php',
'AssertionConsumerService' => 'https://sp.sso.domain.studio/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'
);

/metadata/saml20-idp-remote.php
============================================
metadata['https://ftest.sso.domain.studio/saml2/idp/metadata.php'] =
array(
'name' => array(
'de' => 'Portal Login',
'en' => 'Portal Login',
'no' => 'Portal Login',
),
'description' => 'Here you can login with your account.',
'SingleSignOnService' => 'https://test.sso.domain.studio/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://test.sso.domain.studio/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);

With the php_admin_value in the v-host I force the session to the same
cookie domain and path. The debug log tells, that the IdP stores at
the beginning and deletes the state after the login:

/log/simplesamlphp.log
============================================
Mar 27 15:17:01 simplesamlphp DEBUG [119d93ff75] Saved state:
'_cdf2d380507404bd9eaf97ee6ab7c71ad20e311266:https://...
...
Mar 27 15:17:11 simplesamlphp DEBUG [119d93ff75] Deleting state:
'_cdf2d380507404bd9eaf97ee6ab7c71ad20e311266'

Any ideas how to fix this?

[Olav Morken]

On Tue, Mar 27, 2012 at 06:24:26 -0700, Floe wrote:
> Hi,
>
> I'm trying to implement an simple sso-server authentification. Both,
> the IdP and the SP run on different server under the same subdoman
> (.sso.domain.studio). Currently the prosess works as far:
>
> 1) enter Site without session
> 2) redirect to SP (initSSO.php)

This would indicate that you are using the old SP code, but

[...]

> $metadata['https://sp.sso.domain.studio/simplesaml/saml2/sp/
> metadata.php'] = array(
> 'AssertionConsumerService' => 'https://sp.sso.domain.studio/
> simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',

This is the AssertionConsumerService from the new SP code. If this is
indeed the way you use it, you will get that error from the SP when
it receives the response from the IdP.

You cannot mix the old and new SP. Either use only the old or only the
new.

Best regards,
Olav Morken
UNINETT / Feide

[psylovibe]

Same here. I followed the tutorials on setting up an Idp and Sp on same machine for testing purposes, but I am constantly recieving NOSTATE error.

On Monday, December 31, 2012 7:55:23 PM UTC-5, Jeremy Hutchings wrote:

I'm getting the same in mine. I have installed 1.10  SP and IdP, and configured them to work together, though once I come back from the redirect from the IdP it's a lost session all the time (though it's worked previously some of the time).

Loading state: '_20f1412e0b0e8c73f06a18b28e7c5a8b1dcceefca7'
SimpleSAML_Error_NoState: NOSTATE
Backtrace:
2 /media/mirrorstore/htdoc_roots/saml.sp/lib/SimpleSAML/Auth/State.php:232 (SimpleSAML_Auth_State::loadState)
1 /media/mirrorstore/htdoc_roots/saml.sp/modules/saml/www/sp/saml2-acs.php:54 (require)
0 /media/mirrorstore/htdoc_roots/saml.sp/www/module.php:135 (N/A)
Error report with id c6b889d4 generated.
Template: Reading [/media/mirrorstore/htdoc_roots/saml.sp/dictionaries/errors]
Template: Reading [/media/mirrorstore/htdoc_roots/saml.sp/modules/core/dictionaries/no_state]

Any clues to what logs or config I config I should start looking in ?

Cheers
Jeremy

[Jeremy Hutchings]

I resolved my issue by moving my idp to the same domain as the app I am creating and including it directly in the PHP as per the example in the documentation.

I believe my issue was with the cookie & session and found this helpful :

http://code.google.com/p/simplesamlphp/wiki/LostState

[K Kaland]

Yeah, I ran into this yesterday, and it was a cookie domain issue. It'll generally be that in one way or another, it seems.

The IdP installation of simpleSAMLphp should be on the same domain as the identity provider, and I think the cookie domain in config/config.php can safely be the IdP's full base URL (e.g. idp.example.com).

The SP one should follow the same rules, but if several sites use the same SP installation, the cookie domain would be .example.com instead of site.example.com (this is what got me yesterday).

simpleSAMLphp works quite reliably otherwise.

[Peter Schober]

* K Kaland <kevin....@gmail.com> [2013-01-07 06:41]:

> The IdP installation of simpleSAMLphp should be on the same domain
> as the identity provider

Given that "IdP" is short for "identity provider" and in this context
describes a role of a SAML software implementation I don't see how you
could assume them to be in different DNS domains (or even what an
"identity provider" is, exactly, other than your IdP installation).

> and I think the cookie domain in config/config.php can safely be the
> IdP's full base URL (e.g. idp.example.com).

No, you'd only need to change session.cookie.domain if you wanted the
opposite: to have the IdP's cookie /not/ limited to the only host that
needs it (i.e., the IdP).

> The SP one should follow the same rules, but if several sites use
> the same SP installation, the cookie domain would be .example.com
> instead of site.example.com (this is what got me yesterday).

The requirement to have all resources in the same shared DNS domain is
simply a function (or consequence) of your decision to not
install/deploy a SAML Service Provider with each resource (as the
common model would have it), i.e., to /not/ use SAML for SSO between
resources.

> simpleSAMLphp works quite reliably otherwise.

Nothing you say indicates SimpleSAMLphp lacking reliability in any way.
-peter

[Kevin Kaland]

I know.

The thing about reliability was colloquial speech; I should have said, "simpleSAMLphp works reliably."

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

[Vincent Gerris]

I am still unable to get a working configuration between a shibboleth 2 SP and simplesamlphp as IdP.
I configured simplesamlphp to use memcache as backend, which seems to work, but I still het No state errors.
The IdP is on https , de SP is not.
I have not found a working example of this setup anywhere, so I am not really getting anywhere.
I looked with SAML tracer and Tamper data in the request, but I do not know what I am missing here.
Can anyone help with this?

[Peter Schober]

* Vincent Gerris <vge...@gmail.com> [2013-06-25 12:50]:

> I am still unable to get a working configuration between a shibboleth 2 SP
> and simplesamlphp as IdP.
> I configured simplesamlphp to use memcache as backend, which seems to work,
> but I still het No state errors.

Did you also have those errors without using memcached?
Did you read http://code.google.com/p/simplesamlphp/wiki/LostState ?

> The IdP is on https , de SP is not.

Shouldn't matter as long as all host names are correct in the SAML
metadata describing both (and consistently used from clients) -- other
than that it will create ugly security warnings in all browsers when
using the most common HTTP POST protocol binding for the SAML response.

> I have not found a working example of this setup anywhere, so I am not
> really getting anywhere.

Many are using this, so it certainly works. The rest is in the details.
-peter

[Akash Chepe]

Hey guys,

SimpleSAMLphp is an award-winning application written in native PHP that deals with authentication.

So, the client connecting to our idp is having an issue where users are logging in and randomly get a NO STATE error on login. We have no other issues with any other service providers and I'm trying to narrow down what is causing this.

The issue is why would it be so random, most users log in fine, but randomly they get a no state error on attempting to login.

Exception: SimpleSAML_Error_NoState: NOSTATE

[Nick Amon]

I’ve seen this before when the session that stores the authentication state has been destroyed.  Check your session timeouts.

--

You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

To post to this group, send email to simple...@googlegroups.com.

Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Akash Chepe]

Thank You Nick Amon....It works...  :-)

[Prakash Satpathy]

Hey Akash, what is the solution.

I am struggling with the same issue.

Need help. If any body can?