configuring saml20-sp-remote

164 views
Skip to first unread message

Alan Wong

unread,
Feb 8, 2011, 4:27:15 AM2/8/11
to simpleSAMLphp
Hi,

I have a Service Provider using shibboleth and want to use
simpleSAMLphp as a identity provider.
i set my SP entityid as (let say) "http://spentityid.com". I add this
SP metadata into saml20-sp-remote by using metadata converter.

Initially the SP is connected without any ssl enabled. so the metadata
is like this:

$metadata['http://spentityid.com/shibboleth'] = array (
'entityid' => 'http://spentityid.com/shibboleth',
'metadata-set' => 'saml20-sp-remote',
' AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:name:tc:SAML:2.0:bindings:HTTP_POST'.
'Location = > 'http://spentityid.com/shibboleth.sso/SAML2/
POST',
'index' => 1,
),
.........


But for some reason, i need to support both ssl and non-ssl
connection. So how am i going to configure the saml20-sp-remote? Is it
ok that i append another set of metadata with the same SP entityid but
different AssertionConsumerService---Location.

the location for ssl enabled is 'https://spentityid.com/
shibboleth.sso/SAML2/POST' right? correct me if i am wrong.

or is there any attribute i can use so that it can support both https
and http?
Im new on this and hope to find some guidance.

Thanks

Alan.

Olav Morken

unread,
Feb 9, 2011, 6:37:39 AM2/9/11
to simple...@googlegroups.com
On Tue, Feb 08, 2011 at 01:27:15 -0800, Alan Wong wrote:
> Hi,
>
> I have a Service Provider using shibboleth and want to use
> simpleSAMLphp as a identity provider.
> i set my SP entityid as (let say) "http://spentityid.com". I add this
> SP metadata into saml20-sp-remote by using metadata converter.
>
> Initially the SP is connected without any ssl enabled. so the metadata
> is like this:
>
> $metadata['http://spentityid.com/shibboleth'] = array (
> 'entityid' => 'http://spentityid.com/shibboleth',
> 'metadata-set' => 'saml20-sp-remote',
> ' AssertionConsumerService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:name:tc:SAML:2.0:bindings:HTTP_POST'.
> 'Location = > 'http://spentityid.com/shibboleth.sso/SAML2/
> POST',
> 'index' => 1,
> ),
> .........
>
>
> But for some reason, i need to support both ssl and non-ssl
> connection.

Care to elaborate? I would expect a Shibboleth SP to be able to have
the endpoints (i.e. AssertionConsumerService and SingleLogoutService)
on SSL and the rest of the web site without SSL. Is there any reason
you cannot do that?

> So how am i going to configure the saml20-sp-remote? Is it
> ok that i append another set of metadata with the same SP entityid but
> different AssertionConsumerService---Location.

That will not work. If you really need to do this, you will either need
two different metadata entries with different entityid, or a single
metadata entry with multiple AssertionConsumerService elements.

> the location for ssl enabled is 'https://spentityid.com/
> shibboleth.sso/SAML2/POST' right? correct me if i am wrong.
>
> or is there any attribute i can use so that it can support both https
> and http?
> Im new on this and hope to find some guidance.

This depends heavily on the configuration of your SP, which in this
case is Shibboleth. Basically, what you configure in simpleSAMLphp must
match whatever your SP sends out, so first you need to find out what
your SP actually does. I am not familiar with configuration of a
Shibboleth SP though, so I cannot help you with that part.

Regards,
Olav Morken
UNINETT / Feide

Alan Wong

unread,
Feb 9, 2011, 11:22:32 PM2/9/11
to simpleSAMLphp
Thanks for the reply, :)

Let say i use the metadata converter to convert the metadata from the
SP (http://spentityid.com/Shibboleth.sso/Metadata) and the insert it
into the saml20-sp-remote.

$metadata['http://spentityid.com/shibboleth'] = array (
'entityid' => 'http://spentityid.com/shibboleth',
'metadata-set' => 'saml20-sp-remote',
' AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:name:tc:SAML:2.0:bindings:HTTP_POST'.
'Location = > 'http://spentityid.com/shibboleth.sso/SAML2/
POST',
'index' => 1,
),
.........

So when i do a global logout, it will redirect me back base on the
Location in metadata right? Correct me if I am wrong.

If i want the SP and IDP to support https also, i can login using
https, that is not an issue, but when i try to log out, it will
redirect me back to the logout page which domain name is http ( base
on the location above also "i think")

So in order i want the IDP support both http and https, mean i login
with http then logout will be http also and same for the https
situaltion, i need 2 AssertionConsumerService in the same SP entityid
rite? Do you have any examples on how to configure that?


Really appreciate and thanks
Alan

Olav Morken

unread,
Feb 10, 2011, 7:02:18 AM2/10/11
to simple...@googlegroups.com
On Wed, Feb 09, 2011 at 20:22:32 -0800, Alan Wong wrote:
> Thanks for the reply, :)
>
> Let say i use the metadata converter to convert the metadata from the
> SP (http://spentityid.com/Shibboleth.sso/Metadata) and the insert it
> into the saml20-sp-remote.
>
> $metadata['http://spentityid.com/shibboleth'] = array (
> 'entityid' => 'http://spentityid.com/shibboleth',
> 'metadata-set' => 'saml20-sp-remote',
> ' AssertionConsumerService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:name:tc:SAML:2.0:bindings:HTTP_POST'.
> 'Location = > 'http://spentityid.com/shibboleth.sso/SAML2/
> POST',
> 'index' => 1,
> ),
> .........
>
> So when i do a global logout, it will redirect me back base on the
> Location in metadata right? Correct me if I am wrong.

Yes, the LogoutRequest and LogoutResponse messages are sent to that
URL.

> If i want the SP and IDP to support https also, i can login using
> https, that is not an issue, but when i try to log out, it will
> redirect me back to the logout page which domain name is http ( base
> on the location above also "i think")
>
> So in order i want the IDP support both http and https, mean i login
> with http then logout will be http also and same for the https
> situaltion, i need 2 AssertionConsumerService in the same SP entityid
> rite? Do you have any examples on how to configure that?

When dealing with logout you don't have a choice - you need two
separate service providers, with separate metadata. The reason for this
is that there is no way to indicate which logout endpoint should be
used.


But you still haven't said why you need to have the
AssertionConsumerService endpoint and the SingleLogoutService endpoint
on both http and https? I suspect you could achieve your goal with just
a single service-provider that has both the endpoints located on https.

Alan Wong

unread,
Feb 11, 2011, 4:09:13 AM2/11/11
to simpleSAMLphp
Really thanks for the answer, which mean that i have to create 2 sp
with different metadata if i want to support http and https for the
same domain right? I'll think about that.. hehe..

> But you still haven't said why you need to have the
> AssertionConsumerService endpoint and the SingleLogoutService endpoint
> on both http and https? I suspect you could achieve your goal with just
> a single service-provider that has both the endpoints located on https

Because not the sp and the backend server is supporting http, and i
try to upgrade it to https without affecting to the current client, is
just a testing stage for this. Since it is not possible to do that,
may be is time to change everything to https in one shot..

thanks Olav :)
Reply all
Reply to author
Forward
0 new messages