* o haya <
ohay...@gmail.com> [2021-10-10 23:39]:
> As mentioned in previous threads, from the IdP logs of requests, I
> see two differences in the ACS in the request messages:
>
> 1) The URL in the ACS uses the IP address instead of FQDN.
And what is what the prod SP is putting into its authn request (and
the IDP has on record for that SP)?
Note that if the prod SP is generating authn requests with its IP
address in them you won't easily be able to make those responses go to
your test SP instead: The IDP will send a HTML form to your web
browser which would HTTP-POST the SAML response to the SP at the
requested location, i.e., the prod SP, not your test SP.
So if that's the behaviour you want to recreate I don't see how you
could transparently replace use of the prod SP with your test SP.
If OTOH the prod SP uses a host name in its SAML 2.0 authn requests
this is all rather easy and I've already provided you with a complete
write-up on how you'd achieve this.
> 2) The end of the URL in the ACS in the request is incorrect (it needs to
> be "saml1-acs.php" instead of "saml2-acs.php").
The ACS URL from the SP's SAML 2.0 authn request simply tells the IDP
where the SP wants to recieve the SAML Response (or Assertion).
The IDP is required to verify that location before use which is why
the IDP has a copy of the SP's metadata on record detailling the
SP's various endpoints.
The specific endpoint URLs are up to the SP and in the case of
SimpleSAMLphp they differ per SAML protocol version.
Note that SAML 1 did not even have authn requests at all!
> To workaround #2, I check the metadata from SimpleSAMLphp, and it
> looks like Binding
> "urn:oasis:names:tc:SAML:1.0:profiles:browser-post" has the matching
> ACS URL
Well, that's for a different protocol (SAML1 != SAML 2) so is not
appropriate for SAML 2.0 protocol messages. You are using SAML 2.0,
are you not? Does your browser show a SAML 2.0 authn request when you
look at HTTP requests and responses, e.g. using the SAML-tracer
extension?
Since (1) none of this makes any sense and (2) none of this will be of
any use to anyone else on this list (so I claim) I suggest you clone
the prod SP (instead of failing to recreate it) e.g. on the VM or disk
imaging level and be done with that excercise.
Then start your actual work of debugging the problem your prod SP is
seeing.
-peter