Re: How to use SimpleSAMLphp without using SSL
972 views
Skip to first unread message
Peter Schober
May 27, 2013, 3:44:42 AM5/27/13
to simple...@googlegroups.com
* admsksj2 <alumnisks...@gmail.com> [2013-05-27 09:19]:
> Hi i want to ask How to use SimpleSAMLphp without using SSL because
> i don't have any root access to configure the server because i use
> shared server..so how can i do that
I guess the question should be: Should I bother with SAML at all when
the resulting session cookies are not at least protected with TLS/SSL.
Also consider that depending on the role you want SSP to play (as a
SAML Service Provider or SAML Identity Provider or something else
entirely) the user experience may suffer unless you're using TLS/SSL.
(Mostly for SAML SPs using the most common protocol binding HTTP-POST.)
Other than that SSP does not force the use of SSL on you, and it also
doesn't force you to use the canonical port (tcp 443) for it if you
wanted to use a different one (on Unix & clones listening on ports > 1024
doesn't need priviledged access).
One could also argue that if your hosting provider does not allow for
TLS/SSL maybe you should look elsewhere.
Lots of choices. None of which have anything to do with SSP.
-peter
> Hi i want to ask How to use SimpleSAMLphp without using SSL because
> i don't have any root access to configure the server because i use
> shared server..so how can i do that
I guess the question should be: Should I bother with SAML at all when
the resulting session cookies are not at least protected with TLS/SSL.
Also consider that depending on the role you want SSP to play (as a
SAML Service Provider or SAML Identity Provider or something else
entirely) the user experience may suffer unless you're using TLS/SSL.
(Mostly for SAML SPs using the most common protocol binding HTTP-POST.)
Other than that SSP does not force the use of SSL on you, and it also
doesn't force you to use the canonical port (tcp 443) for it if you
wanted to use a different one (on Unix & clones listening on ports > 1024
doesn't need priviledged access).
One could also argue that if your hosting provider does not allow for
TLS/SSL maybe you should look elsewhere.
Lots of choices. None of which have anything to do with SSP.
-peter
admsksj2
May 27, 2013, 5:34:10 AM5/27/13
to simple...@googlegroups.com
Thank you peter but can you explain to me how to use simplesamlphp over http not https...because i cannot configure the certificate in my DirectAdmin
Peter Schober
May 27, 2013, 7:15:52 AM5/27/13
to simple...@googlegroups.com
* admsksj2 <alumnisks...@gmail.com> [2013-05-27 11:34]:
think that you need it).
Since you don't supply any useful information (like: what you're
trying to use SSP for or which part of the documentation leads you
to believe you need something called "DirectAdmin") I can only guess:
When the SSP documentation refers to certificates, e.g. at
http://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_1_1
for the SAML SP or at
http://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
for the SAML IDP
this has nothing to do with https. Just doing what the documentation
says (the openssl command plus adding the generated files to the
configuration as indicated) should be sufficient. And has nothing to
do with TLS/SSL.
-peter
> Thank you peter but can you explain to me how to use simplesamlphp over
> http not https...because i cannot configure the certificate in my
> DirectAdmin
No idea what you're talking about (or what "DirectAdmin" is or why you
> http not https...because i cannot configure the certificate in my
> DirectAdmin
think that you need it).
Since you don't supply any useful information (like: what you're
trying to use SSP for or which part of the documentation leads you
to believe you need something called "DirectAdmin") I can only guess:
When the SSP documentation refers to certificates, e.g. at
http://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_1_1
for the SAML SP or at
http://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
for the SAML IDP
this has nothing to do with https. Just doing what the documentation
says (the openssl command plus adding the generated files to the
configuration as indicated) should be sufficient. And has nothing to
do with TLS/SSL.
-peter
admsksj2
May 27, 2013, 7:32:06 AM5/27/13
to simple...@googlegroups.com, peter....@univie.ac.at
sorry peter and thank for that link f.y.i i'm using DirectAdmin panel to
control my site and i install simplesamlphp to use with my joomls
site,google apps and moodle.Ok.here it is, in as i mentioned it i'm using shared hosting..so i didn't have ssl option in my DA and i also can enter the root access to use the cert.i have completed the suggested steps in the link given but when i open my simplesamlphp on my site(e.g sso.mydomain.com/simplesaml/) or when i opened it from (e.g mail.google.com/a/mydomain.com) it shows an error 403 forbidden.so that's why i need any solution to make my simplesamlphp only use http not https to connect.if you had anything just ask me.
Peter Schober
May 27, 2013, 7:38:25 AM5/27/13
to simple...@googlegroups.com
(No need to CC: me, I follow the list.)
* admsksj2 <alumnisks...@gmail.com> [2013-05-27 13:32]:
SAML IdP in order to access Google Apps For Your Domain as a SAML SP.
> but when i open my simplesamlphp on my site(e.g
> sso.mydomain.com/simplesaml/) [...] it shows an error 403 forbidden.
Look at your webserver's error log to find out what causes this access
denied error (provided your hosting provider gives you access to your
own logs).
Whatever happens when you access the SAML SP (some Google system in
this case) depends on what data (about your SAML IdP) you provisioned
to the SAML SP. So I'd ignore the SAML SP until you can access the SSP
admin page without errors.
-peter
* admsksj2 <alumnisks...@gmail.com> [2013-05-27 13:32]:
> sorry peter and thank for that link f.y.i i'm using DirectAdmin panel to
> control my site and i install simplesamlphp to use with my joomls
> site,google apps and moodle.Ok.here it is, in as i mentioned it i'm using
> shared hosting..so i didn't have ssl option in my DA and i also can enter
> the root access to use the cert.i have completed the suggested steps in the
> link given but when i open my simplesamlphp on my site(e.g
> sso.mydomain.com/simplesaml/) or when i opened it from (e.g
> mail.google.com/a/mydomain.com) it shows an error 403 forbidden.so that's
> why i need any solution to make my simplesamlphp only use http not https to
> connect.if you had anything just ask me.
OK, so now we at least know you're trying to use SimpleSAMLphp as a
> control my site and i install simplesamlphp to use with my joomls
> site,google apps and moodle.Ok.here it is, in as i mentioned it i'm using
> shared hosting..so i didn't have ssl option in my DA and i also can enter
> the root access to use the cert.i have completed the suggested steps in the
> link given but when i open my simplesamlphp on my site(e.g
> sso.mydomain.com/simplesaml/) or when i opened it from (e.g
> mail.google.com/a/mydomain.com) it shows an error 403 forbidden.so that's
> why i need any solution to make my simplesamlphp only use http not https to
> connect.if you had anything just ask me.
SAML IdP in order to access Google Apps For Your Domain as a SAML SP.
> but when i open my simplesamlphp on my site(e.g
Look at your webserver's error log to find out what causes this access
denied error (provided your hosting provider gives you access to your
own logs).
Whatever happens when you access the SAML SP (some Google system in
this case) depends on what data (about your SAML IdP) you provisioned
to the SAML SP. So I'd ignore the SAML SP until you can access the SSP
admin page without errors.
-peter
admsksj2
May 28, 2013, 6:47:27 AM5/28/13
to simple...@googlegroups.com
Ok i can successfully login to administration panel using http but can't go to login page using http so another mean of my question is how can I use simplesamlphp without using https permanently use http?
Peter Schober
May 28, 2013, 12:04:38 PM5/28/13
to simple...@googlegroups.com
* admsksj2 <alumnisks...@gmail.com> [2013-05-28 12:47]:
What is "login page", exactly? SimpleSAMLphp's authentication source
test? Something else?
-peter
test? Something else?
-peter
Message has been deleted
admsksj2
May 29, 2013, 3:29:56 AM5/29/13
to simple...@googlegroups.com, peter....@univie.ac.at
ok the "login Page" that i mentioned previously is the place where i
want to login into my google apps applications such as Gmail..when i go
to https://mail.google.com/a/mydomain.com it automatically forward to http://sso.mydomain.com/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=fVJNTxsxEL1X6n%2BwfN%2BvFKrWyi4KIEQk2q7IwoGb451NzNrjxeNNyr%2BvswFBD3B9fvM%2BxjM%2F%2B2sN24En7bDkRZpzBqhcq3FT8rvmKvnBz6qvX%2BYkrRnEYgxbvIWnESiwOIkkpoeSjx6Fk6RJoLRAIiixWvy6EbM0F4N3wSlnOFtelvxxDUqh6rphrVWvez1EP9NbQLDYY9c7h60Bxdn9a6zZIdaSaIQlUpAYIpQX35L8NJn9bPLv4qQQJ6cPnNUvTucajw0%2Bi7U%2BkkhcN02d1H9WzSSw0y3435Fd8o1zGwOpcvZgX0sivYtwJw0BZwsi8CEGvHBIowW%2FAr%2FTCu5ub0q%2BDWEgkWX7%2FT59k8lkRuHRbTGFdkztcyYV8Wparpj6%2BXdb%2FTy9fHXn1Zv%2BPHsnVb182qHL8rJ2RqtntjDG7S88yBCLBD%2FGHlfOWxk%2BdivSYkJ0m3QTVYxIAyjdaWg5y6qj6%2F%2FXEW%2FmHw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmydomain.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fmydomain.com%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
Peter Schober
May 29, 2013, 4:23:52 AM5/29/13
to simple...@googlegroups.com
* admsksj2 <alumnisks...@gmail.com> [2013-05-29 08:44]:
OK. You said the problem was:
So what's the problem?
"Can't go to login page" is not a technical error report, esp given
the above URL.
-peter
> ok the "login Page" that i mentioned previously is the place where i want
> to login into my google apps applications such as Gmail..when i go to
> https://mail.google.com/a/mydomain.com it automatically forward to
> http://sso.mydomain.com/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=fVJNTxsxEL1X6n%2BwfN%2BvFKrWyi4KIEQk2q7IwoGb451NzNrjxeNNyr%2BvswFBD3B9fvM%2BxjM%2F%2B2sN24En7bDkRZpzBqhcq3FT8rvmKvnBz6qvX%2BYkrRnEYgxbvIWnESiwOIkkpoeSjx6Fk6RJoLRAIiixWvy6EbM0F4N3wSlnOFtelvxxDUqh6rphrVWvez1EP9NbQLDYY9c7h60Bxdn9a6zZIdaSaIQlUpAYIpQX35L8NJn9bPLv4qQQJ6cPnNUvTucajw0%2Bi7U%2BkkhcN02d1H9WzSSw0y3435Fd8o1zGwOpcvZgX0sivYtwJw0BZwsi8CEGvHBIowW%2FAr%2FTCu5ub0q%2BDWEgkWX7%2FT59k8lkRuHRbTGFdkztcyYV8Wparpj6%2BXdb%2FTy9fHXn1Zv%2BPHsnVb182qHL8rJ2RqtntjDG7S88yBCLBD%2FGHlfOWxk%2BdivSYkJ0m3QTVYxIAyjdaWg5y6qj6%2F%2FXEW%2FmHw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmydomain.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fstjohn.edu.my%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
> to login into my google apps applications such as Gmail..when i go to
> https://mail.google.com/a/mydomain.com it automatically forward to
OK. You said the problem was:
> but can't go to login page using http
Obviously the page above is plain http (without TLS/SSL).
So what's the problem?
"Can't go to login page" is not a technical error report, esp given
the above URL.
-peter
admsksj2
May 29, 2013, 4:37:41 AM5/29/13
to simple...@googlegroups.com, peter....@univie.ac.at
the thing that i mean by is i want to access the below url
using plain http.idon't want to use https because i doesn't have any root access to upload my own certificate to use with the above link.i know it needed to use https TLS/SSL but i want to change it from instead of using https i want to use http as the following url
https://mail.google.com/a/mydomain.com it automatically forward to
> http://sso.mydomain.com/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=fVJNTxsxEL1X6n%2BwfN%2BvFKrWyi4KIEQk2q7IwoGb451NzNrjxeNNyr%2BvswFBD3B9fvM%2BxjM%2F%2B2sN24En7bDkRZpzBqhcq3FT8rvmKvnBz6qvX%2BYkrRnEYgxbvIWnESiwOIkkpoeSjx6Fk6RJoLRAIiixWvy6EbM0F4N3wSlnOFtelvxxDUqh6rphrVWvez1EP9NbQLDYY9c7h60Bxdn9a6zZIdaSaIQlUpAYIpQX35L8NJn9bPLv4qQQJ6cPnNUvTucajw0%2Bi7U%2BkkhcN02d1H9WzSSw0y3435Fd8o1zGwOpcvZgX0sivYtwJw0BZwsi8CEGvHBIowW%2FAr%2FTCu5ub0q%2BDWEgkWX7%2FT59k8lkRuHRbTGFdkztcyYV8Wparpj6%2BXdb%2FTy9fHXn1Zv%2BPHsnVb182qHL8rJ2RqtntjDG7S88yBCLBD%2FGHlfOWxk%2BdivSYkJ0m3QTVYxIAyjdaWg5y6qj6%2F%2FXEW%2FmHw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmydomain.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fstjohn.edu.my%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
using plain http.idon't want to use https because i doesn't have any root access to upload my own certificate to use with the above link.i know it needed to use https TLS/SSL but i want to change it from instead of using https i want to use http as the following url
Jaime Pérez Crespo
May 29, 2013, 4:45:56 AM5/29/13
to simple...@googlegroups.com
Hi,
On May 29, 2013, at 10:37 AM, admsksj2 <alumnisks...@gmail.com> wrote:
the thing that i mean by is i want to access the below urlhttps://mail.google.com/a/mydomain.com it automatically forward to
> http://sso.mydomain.com/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=fVJNTxsxEL1X6n%2BwfN%2BvFKrWyi4KIEQk2q7IwoGb451NzNrjxeNNyr%2BvswFBD3B9fvM%2BxjM%2F%2B2sN24En7bDkRZpzBqhcq3FT8rvmKvnBz6qvX%2BYkrRnEYgxbvIWnESiwOIkkpoeSjx6Fk6RJoLRAIiixWvy6EbM0F4N3wSlnOFtelvxxDUqh6rphrVWvez1EP9NbQLDYY9c7h60Bxdn9a6zZIdaSaIQlUpAYIpQX35L8NJn9bPLv4qQQJ6cPnNUvTucajw0%2Bi7U%2BkkhcN02d1H9WzSSw0y3435Fd8o1zGwOpcvZgX0sivYtwJw0BZwsi8CEGvHBIowW%2FAr%2FTCu5ub0q%2BDWEgkWX7%2FT59k8lkRuHRbTGFdkztcyYV8Wparpj6%2BXdb%2FTy9fHXn1Zv%2BPHsnVb182qHL8rJ2RqtntjDG7S88yBCLBD%2FGHlfOWxk%2BdivSYkJ0m3QTVYxIAyjdaWg5y6qj6%2F%2FXEW%2FmHw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmydomain.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fstjohn.edu.my%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
using plain http.idon't want to use https because i doesn't have any root access to upload my own certificate to use with the above link.i know it needed to use https TLS/SSL but i want to change it from instead of using https i want to use http as the following url
You are doing so. The URL you are using HTTPS for is google's. And obviously you don't have any control over that (nor need it, it's a good idea to use HTTPS there).
Then google redirects to your IdP, which is using plain HTTP:
So your problem is not HTTPS related at all. You should try to be a bit more specific (i.e. give a step by step description of the procedure and hops of your browser, state any errors you see, etc) if you really want help.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
- Robert Frost
admsksj2
May 29, 2013, 4:55:19 AM5/29/13
to simple...@googlegroups.com
here i attached picture on what happens...
1st i go to https://mail.google.com/a/stjohn.edu.my
2nd it redirect me to the simplesamlphp page but it appears forbidden
<-- This is the 2nd
Peter Schober
May 29, 2013, 4:58:41 AM5/29/13
to simple...@googlegroups.com
* admsksj2 <alumnisks...@gmail.com> [2013-05-29 10:37]:
I can't do more than confront your own statements with your previous
statements.
1. You said you want SAML Authentication Requests to arrive at your
IdP on plain http. Other than making sure your SSP install is
reachable via plain httop (which it is) that's all between Google and
you. Tell Google what your SSO endpoint is, via whatever methods this
SP offers.
2. You also posted an example and stated that you already receive
those requests on plain http. See your own previous emails.
3. Accessing https://mail.google.com/a/stjohn.edu.my I do get
redirected to
http://sso.stjohn.edu.my/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=....
on a plain http endpoint. So the request from Google already does what
you say you want. (There's an HTTP 403 Forbidden error for me on that
error but since you didn't mention that and it also has nothing to do
with the SSP software I suppose that's expected.)
4. Taking 1 + 2 + 3 together means your questions here don't make any
sense.
> i doesn't have any root access to upload my own certificate to use
> with the above link.i know it needed to use https TLS/SSL but i want
> to change it from instead of using https i want to use http as the
> following url
Yes. We. Know. That.
(Even if that's dangerously stupid since unless you're taking other
measures it probably means all credentials -- commonly username +
password -- are going over the network in the clear. Likewise the
resulting SSO session cookie with your IdP will be unproteced.
But that's your decision. Certainly fine with me.)
Anyway, just blindly repeating this each and every email won't get you
any further. You seriously need to develop your asking and reading
replies skills.
-peter
> the thing that i mean by is i want to access the below url
>
> https://mail.google.com/a/mydomain.com it automatically forward to
> > >
> > http://sso.mydomain.com/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=fVJNTxsxEL1X6n%2BwfN%2BvFKrWyi4KIEQk2q7IwoGb451NzNrjxeNNyr%2BvswFBD3B9fvM%2BxjM%2F%2B2sN24En7bDkRZpzBqhcq3FT8rvmKvnBz6qvX%2BYkrRnEYgxbvIWnESiwOIkkpoeSjx6Fk6RJoLRAIiixWvy6EbM0F4N3wSlnOFtelvxxDUqh6rphrVWvez1EP9NbQLDYY9c7h60Bxdn9a6zZIdaSaIQlUpAYIpQX35L8NJn9bPLv4qQQJ6cPnNUvTucajw0%2Bi7U%2BkkhcN02d1H9WzSSw0y3435Fd8o1zGwOpcvZgX0sivYtwJw0BZwsi8CEGvHBIowW%2FAr%2FTCu5ub0q%2BDWEgkWX7%2FT59k8lkRuHRbTGFdkztcyYV8Wparpj6%2BXdb%2FTy9fHXn1Zv%2BPHsnVb182qHL8rJ2RqtntjDG7S88yBCLBD%2FGHlfOWxk%2BdivSYkJ0m3QTVYxIAyjdaWg5y6qj6%2F%2FXEW%2FmHw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmydomain.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fstjohn.edu.my%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
> >
>
> using plain http.idon't want to use https because [...]
>
> https://mail.google.com/a/mydomain.com it automatically forward to
> > >
> > http://sso.mydomain.com/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=fVJNTxsxEL1X6n%2BwfN%2BvFKrWyi4KIEQk2q7IwoGb451NzNrjxeNNyr%2BvswFBD3B9fvM%2BxjM%2F%2B2sN24En7bDkRZpzBqhcq3FT8rvmKvnBz6qvX%2BYkrRnEYgxbvIWnESiwOIkkpoeSjx6Fk6RJoLRAIiixWvy6EbM0F4N3wSlnOFtelvxxDUqh6rphrVWvez1EP9NbQLDYY9c7h60Bxdn9a6zZIdaSaIQlUpAYIpQX35L8NJn9bPLv4qQQJ6cPnNUvTucajw0%2Bi7U%2BkkhcN02d1H9WzSSw0y3435Fd8o1zGwOpcvZgX0sivYtwJw0BZwsi8CEGvHBIowW%2FAr%2FTCu5ub0q%2BDWEgkWX7%2FT59k8lkRuHRbTGFdkztcyYV8Wparpj6%2BXdb%2FTy9fHXn1Zv%2BPHsnVb182qHL8rJ2RqtntjDG7S88yBCLBD%2FGHlfOWxk%2BdivSYkJ0m3QTVYxIAyjdaWg5y6qj6%2F%2FXEW%2FmHw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fmydomain.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fstjohn.edu.my%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
> >
>
I can't do more than confront your own statements with your previous
statements.
1. You said you want SAML Authentication Requests to arrive at your
IdP on plain http. Other than making sure your SSP install is
reachable via plain httop (which it is) that's all between Google and
you. Tell Google what your SSO endpoint is, via whatever methods this
SP offers.
2. You also posted an example and stated that you already receive
those requests on plain http. See your own previous emails.
3. Accessing https://mail.google.com/a/stjohn.edu.my I do get
redirected to
http://sso.stjohn.edu.my/simplesaml/www/saml2/idp/SSOService.php?SAMLRequest=....
on a plain http endpoint. So the request from Google already does what
you say you want. (There's an HTTP 403 Forbidden error for me on that
error but since you didn't mention that and it also has nothing to do
with the SSP software I suppose that's expected.)
4. Taking 1 + 2 + 3 together means your questions here don't make any
sense.
> i doesn't have any root access to upload my own certificate to use
> with the above link.i know it needed to use https TLS/SSL but i want
> to change it from instead of using https i want to use http as the
> following url
(Even if that's dangerously stupid since unless you're taking other
measures it probably means all credentials -- commonly username +
password -- are going over the network in the clear. Likewise the
resulting SSO session cookie with your IdP will be unproteced.
But that's your decision. Certainly fine with me.)
Anyway, just blindly repeating this each and every email won't get you
any further. You seriously need to develop your asking and reading
replies skills.
-peter
Jaime Pérez Crespo
May 29, 2013, 6:13:09 AM5/29/13
to simple...@googlegroups.com
Hi again,
On May 29, 2013, at 10:55 AM, admsksj2 <alumnisks...@gmail.com> wrote:
hi Jaime
here i attached picture on what happens...
1st i go to https://mail.google.com/a/stjohn.edu.my
2nd it redirect me to the simplesamlphp page but it appears forbidden
<-- This is the 2nd
That's an apache error. Nothing to do with simpleSAMLphp. You need first to check your server configuration and make sure everything is fine. Not even the basic web interface is reachable. If I try
all I get is a 403 Forbidden error. Even worse, if I try
what I get is a 500 error. So something is seriously wrong in your web server configuration.
Peter Schober
May 29, 2013, 8:05:56 AM5/29/13
to simple...@googlegroups.com
* Jaime P�rez Crespo <jaime...@uninett.no> [2013-05-29 12:13]:
exposed on the web. So having HTTP 403 there is actually good ;)
-peter
> That's an apache error. Nothing to do with simpleSAMLphp. You need
> first to check your server configuration and make sure everything is
> fine. Not even the basic web interface is reachable. If I try
>
> http://sso.stjohn.edu.my/simplesaml/
That's the SSP distribution root directory which shouldn't even be
> first to check your server configuration and make sure everything is
> fine. Not even the basic web interface is reachable. If I try
>
> http://sso.stjohn.edu.my/simplesaml/
exposed on the web. So having HTTP 403 there is actually good ;)
-peter
Jaime Pérez Crespo
May 29, 2013, 8:35:29 AM5/29/13
to simple...@googlegroups.com
Hi,
On May 29, 2013, at 14:05 PM, Peter Schober <peter....@univie.ac.at> wrote:
* Jaime Pérez Crespo <jaime...@uninett.no> [2013-05-29 12:13]:
Well, that's only a URL, not necessarily a directory. But you are right in pointing out that, because I was assuming that it was an alias pointing to the 'www' directory of the SSP distribution. As usually most people does. Now I see that unfortunately I was wrong...
Even worse, the 403 is basically forbidding any directory listing, but not access in general. So actually it is possible to reach any file in the SSP installation. For instance:
So, 'admsksj2', again, your problem is a server configuration problem. Your document root is pointing to the directory where your SSP installation is, which is a very bad idea. You need to either point it to the 'www' directory of SSP, or create an alias, as stated in the documentation. If, once you've solved this issue, you configure Google Apps and the problem persists with the new URL (which should be something like sso.stjohn.edu.my/simplesaml/saml2/idp/SSOService.php?...), please check the error log of your apache server for hints on why it is forbidding access to that particular URL.
Reply all
Reply to author
Forward
0 new messages