Exception: saml20-idp-remote/'urn:federation:MicrosoftOnline'['SingleSignOnService']:Could not find a supported SingleSignOnService endpoint.

[Andrew Isherwood]

Hi all

I've been banging my head against this one, so I'm hoping someone can help! I'll preface this by saying I'm pretty new to this area, so sincere apologies for any inaccuracies in what I say.

I'm attempting to authenticate against an IdP, but am receiving the following error when trying to initialise the authentication:

Sep 30 10:58:04 simplesamlphp[1151]: PHP Fatal error:  Uncaught SimpleSAML_Error_UnserializableException: saml20-idp-remote/'urn:federation:MicrosoftOnline'['SingleSignOnService']:Could not find a supported SingleSignOnService endpoint. in /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:198
Sep 30 10:58:04 simplesamlphp[1151]: Stack trace:
Sep 30 10:58:04 simplesamlphp[1151]: #0 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php(161): SimpleSAML_Auth_Source->initLogin('/saml2auth.php', NULL, Array)

I've done a lot of digging and understand the error to indicate that the IdP's metadata doesn't contain a SingleSignOnService element, which it indeed does not. The IdP's metadata can be seen here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

The metadata does contain AssertionConsumerService elements which, from what I understand, are used by particular bindings (I think that is the correct term) to derive the URL to send the client to. But that doesn't seem to be happening here.

I've done a lot of digging around in the internals of SimpleSAMLphp and I think the issue is something to do with the the type of IdP being incorrectly identified, or me not having enabled support for it. But, I could be waaaaaay off here!

If anyone is able to give me any pointers at all, I would be very grateful!

Cheers

Andrew

[Peter Brand]

* Andrew Isherwood <andrew.i...@ptfs-europe.com> [2022-09-30 12:06]:

> The IdP's metadata can be seen here:
> https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

1. That is *not* IDP metadata: This SAML 2.0 Metadata only contains an
SPSSODescriptor role, i.e., it is SP (Service Provider) metadata, not
IDP (Identity Provider) metadata.

2. It is also *not* XSD-schema valid. I.e., this SAML 2.0 Metadata
document is broken and proper libraries wouldn't even be able to
consume it. (Specifically it contains an "Extensions" element after
the SPSSODescriptor element which is not legal in SAML 2.0 Metadata.)

So M$ seemingly is unable to create valid metadata (well, SAML 2.0 has
only been around since 2005, you can't expect a small company with so
little resources to support that only 17 years later, can you?).
And you're also probably looking at the wrong thing here (my point 1).

HTH,
-peter

[Andrew Isherwood]

Hi Peter

Ahhhh, that explains a lot! I've been testing my development against https://samltest.id/ and it has been working perfectly, so I couldn't understand why it wasn't working with this new IdP, but now I know! I think a chat with the client to try and get them to obtain the correct IdP metadata from Microsoft is my next move!

Many thanks for your help, I'm not at all sure I'd have got there without it!

Cheers

Andrew

[Tim van Dijen]

I've reached out to Microsoft to get that schema-invalid metadata fixed

- Tim

Op vrijdag 30 september 2022 om 15:12:24 UTC+2 schreef andrew.i...@ptfs-europe.com: