How can I troubleshoot "Exception: Unable to extract public key" error

[Nicolas Roggli]

How can I find out why this is happening? 

The log shows that I get the response from the idp

Jun 30 09:53:13 simplesamlphp DEBUG [9bf19d0b1f] Received SAML2 Response from 'http://adfs.unige.ch/adfs/services/trust'.

Jun 30 09:53:13 simplesamlphp DEBUG [9bf19d0b1f] Has 1 candidate keys for validation.

Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] Backtrace:

Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] 1 /var/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler)

Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] 0 [builtin] (N/A)

Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] Caused by: Exception: Unable to extract public key

Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] Backtrace:

Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] 5 /var/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:381 (RobRichards\XMLSecLibs\XMLSecurityKey::loadKey)

The permissions on the certificates are:

-rw-r--r--  1 root root     1436 Jun 28 10:57 saml.crt

-rw-r-----  1 root www-data 1704 Jun 28 10:56 saml.pem

It accesses those certificates, as if I change the group owner of sam.pem to root, I get the following error message:

SimpleSAML\Error\Exception: Unable to load private key from file "/var/simplesamlphp/cert/saml.pem"

Thank you for any hints

Nicolas

[Tim van Dijen]

Hi Nicholas,

The only reason I can think of is that the file doesn't contain a well-formatted PEM public key.

Is it missing the PEM-headers? Is it accidentally stored in a binary format?

- Tim

Op woensdag 30 juni 2021 om 10:10:03 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

Hi Tim,

this is the header:

-----BEGIN PRIVATE KEY-----

and it ends with

-----END PRIVATE KEY-----

Should there be more?

[Tim van Dijen]

It should contain a public key, not a private key..

- Tim

Op woensdag 30 juni 2021 om 10:45:56 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

I followed the simplesaml doc 1.1 Enabling a certificate for your Service Provider

openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

Is it another certificate that I should generate? I am totally new in this field!

[Tim van Dijen]

At this point it's trying to validate the signature of the response you get from ADFS.
It should be using the public key from the ADFS metadata for that, so I'm not sure what is happening...  I guess it didn't work before you added the certificate either?

- Tim

Op woensdag 30 juni 2021 om 10:59:22 UTC+2 schreef n.ro...@gmail.com:

[Tim van Dijen]

OH wait... Could it be that you moved to 2. already and pointed that 'example.pem' mentioned there to the same key you've created in 1.1?

- Tim

Op woensdag 30 juni 2021 om 11:17:12 UTC+2 schreef Tim van Dijen:

[Nicolas Roggli]

No, I didn't, I used the web interface to convert the idp metadata and used that for saml20-idp-remote.php

So it might be that the cert in the metadata is missing the header, correct? 

[Tim van Dijen]

No, the metadata certificates never have the PEM-headers, so that's not it.
When you try to authenticate, do you actually get redirected to ADFS and back?

Op woensdag 30 juni 2021 om 11:26:40 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

this is what I have:

        'keys' => [

                [

                        'encryption' => true,

                        'signing' => false,

                        'type' => 'X509Certificate',

                        'X509Certificate' => 'NqR7CeqSv9YMIIG.......more

                 ],

                [

                        'encryption' => false,

                        'signing' => true,

                        'type' => 'X509Certificate',

                        'X509Certificate' => 'NqR7CeqSv9YMIIG.......more

[Nicolas Roggli]

Our message crossed, how can I tell if I get redirected to ADFS and back? I don't reach the login form, that's for sure

[Tim van Dijen]

That's ok, the metadata from ADFS should be fine..   Whether you're being redirected or not can be made visible by using your browsers' development tools [F12]. Depending on your browser you should see a Network-tab where you can follow what calls are being made to what websites.

If you're going to deal with SAML / SSO more often, I can really recommend the SAMLtracer add-on for Firefox & Chrome.. It does pretty much the same as the built-in developer tools, but also allows you to see the exact SAML XML-messages being exchanged..

Do you mind sharing the contents of the authsources.php, and then specifically the 'default-sp' authsource?

Op woensdag 30 juni 2021 om 11:32:49 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

Here below is the problematic source tested in the web interface under the Test authentication sources tab.

The metadata of my service is

    'lsss-staging' => [

        'saml:SP',

        'entityID' => 'https://staging.lsss.unige.ch',

        'idp' => 'http://adfs.unige.ch/adfs/services/trust',

        'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',

        'privatekey' => 'saml.pem',

        'certificate' => 'saml.crt',

        'redirect.sign' => TRUE,

        'redirect.validate' => TRUE,

        'sign.authnrequest' => TRUE,

        'sign.logout' => TRUE,

        'validate.logout' => TRUE,

        'WantAssertionsSigned' => TRUE,

    ],

The metadata of my service is on a different hostname but on the same server. Could that be a problem?

https://lsbioweb1.unige.ch/simplesaml/module.php/saml/sp/metadata.php/lsss-staging

[Nicolas Roggli]

In fact, I get redirected, when I try in a browser where I wasn't previously authenticated!

I get the authentication screen and get redirected

[Tim van Dijen]

That could prove to be problematic yes, but it shouldn't be causing certificate errors..

I don't see anything wrong with the config you've provided.
What happens if you comment out all the options below 'redirect.sign'?  Perhaps it can help if we peel it off, one setting per time.

Op woensdag 30 juni 2021 om 11:52:21 UTC+2 schreef n.ro...@gmail.com:

[Tim van Dijen]

Ok cool, so the first part is working!
Now, I know from first-hand experience that ADFS can respond with an error even after logging in, because it didn't like something in the initial request..

We can see what ADFS' response is by enabling debug logging;
In config/config.php set:

'logging.level' => SimpleSAML\Logger::DEBUG,

and also:

'debug' => [
   'saml' => true,
   'backtraces' => true,
   'validatexml' => false,

],

Now we can see in the logs whether ADFS is reponding with a valid token, or a SAML RESPONDER-error.

Op woensdag 30 juni 2021 om 11:58:22 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

I'll try removing the params ass suggested, meanwhile, here's a log of a tentative test

According to the log:

Jun 30 12:08:51 simplesamlphp DEBUG [TRef640f99] Localization: using old system

Jun 30 12:08:51 simplesamlphp ERROR [TRef640f99] Error loading session: Cannot load PHP session with a specific ID.

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Session: 'lsss-staging' not valid because we are not authenticated.

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Saved state: '_e442211317dac6c0b24480605515e85c8384b300ab'

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Sending SAML 2 AuthnRequest to 'http://adfs.unige.ch/adfs/services/trust'

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Sending message:

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] <samlp:AuthnRequest xmlns:samlp=  long line trimmed

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0]   <saml:Issuer>https://staging.lsss.unige.ch</saml:Issuer>

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0]   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] </samlp:AuthnRequest>

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Redirect to 1129 byte URL: https://adfs.unige.ch/adfs/ls/?SAMLRequest=fVJdb%2BMg long line trimmed

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Received message

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8d21b04f-af4b-4f1d-8047-f28f10b748b5" Version="2.0" IssueInstant="2021-06-30T10:08:53.217Z" Destination="https://lsbioweb1.unige.ch/simplesaml/module.php/saml/sp/saml2-acs.php/lsss-staging" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_e442211317dac6c0b24480605515e85c8384b300ab">

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0]   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.unige.ch/adfs/services/trust</Issuer>

lot of xml ...

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] </samlp:Response>

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Loading state: '_e442211317dac6c0b24480605515e85c8384b300ab'

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Received SAML2 Response from 'http://adfs.unige.ch/adfs/services/trust'.

Jun 30 12:08:53 simplesamlphp DEBUG [9101f88db0] Has 1 candidate keys for validation.

Jun 30 12:08:53 simplesamlphp ERROR [9101f88db0] SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Jun 30 12:08:53 simplesamlphp ERROR [9101f88db0] Backtrace:

Jun 30 12:08:53 simplesamlphp ERROR [9101f88db0] 1 /var/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler)

Jun 30 12:08:53 simplesamlphp ERROR [9101f88db0] 0 [builtin] (N/A)

Jun 30 12:08:53 simplesamlphp ERROR [9101f88db0] Caused by: Exception: Unable to extract public key

Jun 30 12:08:53 simplesamlphp ERROR [9101f88db0] Backtrace:

[Nicolas Roggli]

I meant " as suggested" ...

[Peter Schober]

* Nicolas Roggli <n.ro...@gmail.com> [2021-06-30 10:10]:

> Jun 30 09:53:13 simplesamlphp ERROR [9bf19d0b1f] Caused by: Exception:
> Unable to extract public key

From where does it try to extract the public key wrt this message -- I
was assuming from the signed SAML Reponse (or Assertion)?

-peter

[Nicolas Roggli]

I cannot tell. SAML is very new to me. 

I don't really understand what is happening under the hood, so I cannot tell what it's trying to decrypt, and with what.

[Peter Schober]

* Nicolas Roggli <n.ro...@gmail.com> [2021-06-30 13:48]:
> I cannot tell.

The "@Tim" hint that I was actually asking Tim where that log message
comes from got lost in my email.

-peter

[Tim van Dijen]

@Peter Yes, should be the signed response it's trying to validate, so the public key should come from the metadata ór the response itself.
@Nicolas: It's the 'lot of XML' that's the most interesting.. We now know you're receiving a SAML Response from ADFS, but does it contain an AttributeStatement or a StatusCode indicating an error?

Op woensdag 30 juni 2021 om 13:51:44 UTC+2 schreef Peter Schober:

[Nicolas Roggli]

no errors as far as I can tell. Can I post the log, or is not recommended?

[Tim van Dijen]

Sure!  Let us have a look so we can rule some things out..

There's an element called AttributeStatement that could contain some personal details depending on what ADFS is sending you.. You may want to scan it quickly before posting it.

Op woensdag 30 juni 2021 om 14:06:42 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   <samlp:Status>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   </samlp:Status>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]         <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           </e:EncryptionMethod>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           <KeyInfo>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]             <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]               <ds:X509IssuerSerial>

Then there is some key info cypher data, but I am scared to reveal something I should not, but if you tell me that I can I'll post it

[Nicolas Roggli]

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.unige.ch/adfs/services/trust</Issuer>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   <samlp:Status>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   </samlp:Status>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]         <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           </e:EncryptionMethod>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           <KeyInfo>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]             <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]               <ds:X509IssuerSerial>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]                 <ds:X509IssuerName>E=myemail, CN=lsbioweb1.unige.ch, OU=BIMOL, O=UNIGE, L=Geneva, S=GE, C=CH</ds:X509IssuerName>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]                 <ds:X509SerialNumber>17296898115108749936</ds:X509SerialNumber>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]               </ds:X509IssuerSerial>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]             </ds:X509Data>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           </KeyInfo>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           <e:CipherData>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]             <e:CipherValue>wVv2xCZOuq81kaV1D7zVHaqwWVaR5Yv6b1GLq7MqVYTTKUFKd09IFlzIMxcLBA2ddvKV8zZbBXcJHyjySibAV7Y/OGe07wZAzVFJ9D4IVErLcpKfd49HIS707GOHvldRNFUvOqmn9CtyGNKZJAE

yHxtFUMDOY8QHZkeADo+puLFoIVxMSgO47x+yfO8k+zEE87TAPeH8YdHIla0nx1oD6mMrGON/Hi1nH7L3+PYtcTkg4ntBc/Ru9MIXV//KKqGd6G0dxaT3ytgX1ljZ9I26PoMpHfXZpFdLon8cfY4RqYhXw5TARhC7ZlSbSW4RyU+LqLC/MlbNymdA2qBjp90yIg==</e:CipherValue>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]           </e:CipherData>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]         </e:EncryptedKey>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]       </KeyInfo>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]       <xenc:CipherData>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]         <xenc:CipherValue>9dZlgAqqnUC trimmed ling

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]       </xenc:CipherData>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]     </xenc:EncryptedData>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23]   </EncryptedAssertion>

Jun 30 13:24:33 simplesamlphp DEBUG [9cc674df23] </samlp:Response>

[Tim van Dijen]

You don't have to worry about breaking security as long as you don't post any private keys or passwords.. Perfectly safe to share the XML messages or metadata.

I'll comment on the rest later if I have a bit more time.. What I can tell is that you're not only signing but also encrypting messages..

You may want to take it one step back first;  have SSO working with signed messages first and add the encryption layer later.

Op woensdag 30 juni 2021 om 14:12:57 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

Ok, and this I define in my settings, correct? I'll check the doc

[Tim van Dijen]

ADFS IDP kinda automatically enabled encryption of you publish an encryption key in your SP metadata.

This is done automatically when you added the certificate-option to the authsources.

You should be able to disable encryption by adding 'assertion.encryption' => false and have ADFS import your metadata again.

Op woensdag 30 juni 2021 om 14:27:37 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

Thanks, I'll give it a try, and I really appreciate your help

[Nicolas Roggli]

Oh and how can I tell that encryption is disabled?

[Peter Schober]

* Tim van Dijen <tvd...@gmail.com> [2021-06-30 14:20]:

> What I can tell is that you're not only signing but also encrypting
> messages.. You may want to take it one step back first; have SSO
> working with signed messages first and add the encryption layer
> later.

In order to determine where the SSP code is failing I'd rather suggest
to leave things as they are and post the complete SAML Response:
According to the log snippet you posted SSP found 1 candidate key but
then failed to extract the public key from that?
(@Tim: And I still don't know whether that message refers to a key
from the SAML protocol message or from locally configured metadata.)

At least I would want to have a look at the/any certificate/s SSP
failes to parse since that has always been what the error message was
about?

-peter

[Tim van Dijen]

The response will make a lot more sense in your log files, without the EncryptedData / CipherData jabber..

If you want to skip a few steps just to see if you can get it to work, just simply remove the certificate from the Encryption-tab in ADFS.

Op woensdag 30 juni 2021 om 15:36:08 UTC+2 schreef n.ro...@gmail.com:

[Tim van Dijen]

@Peter I'd have to check the code, but I'm pretty certain that's the stored metadata..

Op woensdag 30 juni 2021 om 15:40:53 UTC+2 schreef Tim van Dijen:

[Tim van Dijen]

I can confirm it's the stored metadata, so @Nicolas it seems something went wrong with converting the ADFS metadata to SimpleSAML-format..  I suggest you do this one more time to rule this out.

Op woensdag 30 juni 2021 om 15:43:46 UTC+2 schreef Tim van Dijen:

[Nicolas Roggli]

You mean converting the idp xml metadata to php config, right?

[Tim van Dijen]

Correct.. I think maybe something went wrong with copy-pasting or something...

Op woensdag 30 juni 2021 om 15:53:12 UTC+2 schreef n.ro...@gmail.com:

[Peter Schober]

* Nicolas Roggli <n.ro...@gmail.com> [2021-06-30 11:31]:

> this is what I have:
>
> 'keys' => [
> [
> 'encryption' => true,
> 'signing' => false,
> 'type' => 'X509Certificate',
> 'X509Certificate' => 'NqR7CeqSv9YMIIG.......more
> ],
> [
> 'encryption' => false,
> 'signing' => true,
> 'type' => 'X509Certificate',
> 'X509Certificate' => 'NqR7CeqSv9YMIIG.......more

If that's from the IDP metadata your SSP uses for the failing MS-ADFS
IDP please post the complete certificate content.

-peter

[Nicolas Roggli]

yes, here's the complete output:

$metadata['http://adfs.unige.ch/adfs/services/trust'] = array (

  'entityid' => 'http://adfs.unige.ch/adfs/services/trust',

  'contacts' => 

  array (

    0 => 

    array (

      'contactType' => 'support',

      'givenName' => 'Windows',

      'surName' => 'Team',

      'emailAddress' => 

      array (

        0 => 'W...@AAAC.CC',

      ),

      'telephoneNumber' => 

      array (

        0 => 'XXXXXXXXXXXXXXX',

      ),

    ),

  ),

  'metadata-set' => 'saml20-idp-remote',

  'SingleSignOnService' => 

  array (

    0 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

      'Location' => 'https://adfs.unige.ch/adfs/ls/',

    ),

    1 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

      'Location' => 'https://adfs.unige.ch/adfs/ls/',

    ),

  ),

  'SingleLogoutService' => 

  array (

    0 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

      'Location' => 'https://adfs.unige.ch/adfs/ls/',

    ),

    1 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

      'Location' => 'https://adfs.unige.ch/adfs/ls/',

    ),

  ),

  'ArtifactResolutionService' => 

  array (

    0 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',

      'Location' => 'https://adfs.unige.ch/adfs/services/trust/artifactresolution',

      'index' => 0,

    ),

  ),

  'NameIDFormats' => 

  array (

    0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',

    1 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

    2 => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',

  ),

  'keys' => 

  array (

    0 => 

    array (

      'encryption' => true,

      'signing' => false,

      'type' => 'X509Certificate',

      'X509Certificate' => 'MIIGfDCCBWSgAwIBAgIUK418vNqR7CeqSv9YF4d6yAc6d6EwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAhBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTIwMDYwOTExMzYwNVoXDTIyMDYwOTExNDYwMFowdzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2ZTEPMA0GA1UEBwwGR2VuZXZlMR0wGwYDVQQKDBRVbml2ZXJzaXRlIGRlIEdlbmV2ZTEPMA0GA1UECwwGRGlTVElDMRYwFAYDVQQDDA1hZGZzLnVuaWdlLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArE1dPFIJ5GWRlhVWYZVE9cJy0z6tI5a9r8lG7MG6e3OP+L/5lRdYO1sWKUTcQ5/0b+D7jEdp/tM4heK+/NXcADNB7TcRrgEpo5V0jI5W/UdRP38U5RhvLnv/gXHflWvdTNpcC0mNKS0Irm4y+EKABsEKUFxR8JbRup7yTNv8QR3aB07lnp7oeGWpFHgsMaMH9Neg7yRSvMsY1HLzybWUdwq0VZtUqPTZUWYEGlEGnGIQxY6Pj3wISoppaHZqgEXeCDIl7z9UdYEqYfxjUeBio05UTtQiARB6VEBw1dm1tfVbiMexFyjPuoigI9nOYsTPI3lziigqzZI3R2aFK33TBQIDAQABo4IDKDCCAyQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSRGWKtWxenMPvwb2MubhRJzBzBggrBgEFBQcBAQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTAYBgNVHREEETAPgg1hZGZzLnVuaWdlLmNoMFsGA1UdIARUMFIwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwCAYGZ4EMAQICMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdnNzbGcyLmNybDAdBgNVHQ4EFgQUBRBtWF+iLgUdMGjCrUbEg+riXBQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAXKY5vSBAAAEAwBIMEYCIQDHQnFYr9CfepaCw6Z7cNWyKfxSgh5FmqoTUGCqFwqZVgIhAP+ttMORaPswObtnHxZcbD5PCSlXJ2oHfOOUGFJ6dBjsAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFymOb06QAABAMARzBFAiEA5SIneBbYaWRub5kBGDl6HtdOFluYEk+tb0FgBnxOessCIBWweT/8/siMrkRg2M5cLfDyBFG1K3mLRAnVGtYZzwQ2AHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAFymOb0pgAABAMARjBEAiAsGviNnxBXTk9V5oIZTs7+jwQVe7iFyRT5+wPI0otGqQIgSZDyhsjNQv44gjVSklorYJaLH5Kfwzt6gwVg0bQXn6swDQYJKoZIhvcNAQELBQADggEBAJCOPC3pLuH4nE77atjyqyKx8VIzYHzvtdiv8E8Clk+VuEpe6bMl4KgHPNTaE6P7GQglnxTAyvPt0FerS+r/BLJH+o/uqLqPd9xrs94x1NRIgwESMiI+dMhAtSwhBIrOjDXw0NP3WJ4Mef4CL2CGwSHjrPE+TSdVCS4ByIqwCXC2pPTBYVldIhb0U6MadPsCXNaZjHZRUyMVLJX52IeksZn/0vAfcN3FjOa6QRlIdJ9u1kLPsUSraguZQn3RJVMGMhWc5NIXRii7KqTrtSox3l7p2TaViYPVxZUxRs5H5hy5Rqh0gnaV+dy9P5Dm5/4WPCXCJpeXTtDsuQKr0FlV12w=',

    ),

    1 => 

    array (

      'encryption' => false,

      'signing' => true,

      'type' => 'X509Certificate',

      'X509Certificate' => 'MIIGfDCCBWSgAwIBAgIUK418vNqR7CeqSv9YF4d6yAc6d6EwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAhBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTIwMDYwOTExMzYwNVoXDTIyMDYwOTExNDYwMFowdzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2ZTEPMA0GA1UEBwwGR2VuZXZlMR0wGwYDVQQKDBRVbml2ZXJzaXRlIGRlIEdlbmV2ZTEPMA0GA1UECwwGRGlTVElDMRYwFAYDVQQDDA1hZGZzLnVuaWdlLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArE1dPFIJ5GWRlhVWYZVE9cJy0z6tI5a9r8lG7MG6e3OP+L/5lRdYO1sWKUTcQ5/0b+D7jEdp/tM4heK+/NXcADNB7TcRrgEpo5V0jI5W/UdRP38U5RhvLnv/gXHflWvdTNpcC0mNKS0Irm4y+EKABsEKUFxR8JbRup7yTNv8QR3aB07lnp7oeGWpFHgsMaMH9Neg7yRSvMsY1HLzybWUdwq0VZtUqPTZUWYEGlEGnGIQxY6Pj3wISoppaHZqgEXeCDIl7z9UdYEqYfxjUeBio05UTtQiARB6VEBw1dm1tfVbiMexFyjPuoigI9nOYsTPI3lziigqzZI3R2aFK33TBQIDAQABo4IDKDCCAyQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSRGWKtWxenMPvwb2MubhRJzBzBggrBgEFBQcBAQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTAYBgNVHREEETAPgg1hZGZzLnVuaWdlLmNoMFsGA1UdIARUMFIwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwCAYGZ4EMAQICMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdnNzbGcyLmNybDAdBgNVHQ4EFgQUBRBtWF+iLgUdMGjCrUbEg+riXBQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAXKY5vSBAAAEAwBIMEYCIQDHQnFYr9CfepaCw6Z7cNWyKfxSgh5FmqoTUGCqFwqZVgIhAP+ttMORaPswObtnHxZcbD5PCSlXJ2oHfOOUGFJ6dBjsAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFymOb06QAABAMARzBFAiEA5SIneBbYaWRub5kBGDl6HtdOFluYEk+tb0FgBnxOessCIBWweT/8/siMrkRg2M5cLfDyBFG1K3mLRAnVGtYZzwQ2AHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAFymOb0pgAABAMARjBEAiAsGviNnxBXTk9V5oIZTs7+jwQVe7iFyRT5+wPI0otGqQIgSZDyhsjNQv44gjVSklorYJaLH5Kfwzt6gwVg0bQXn6swDQYJKoZIhvcNAQELBQADggEBAJCOPC3pLuH4nE77atjyqyKx8VIzYHzvtdiv8E8Clk+VuEpe6bMl4KgHPNTaE6P7GQglnxTAyvPt0FerS+r/BLJH+o/uqLqPd9xrs94x1NRIgwESMiI+dMhAtSwhBIrOjDXw0NP3WJ4Mef4CL2CGwSHjrPE+TSdVCS4ByIqwCXC2pPTBYVldIhb0U6MadPsCXNaZjHZRUyMVLJX52IeksZn/0vAfcN3FjOa6QRlIdJ9u1kLPsUSraguZQn3RJVMGMhWc5NIXRii7KqTrtSox3l7p2TaViYPVxZUxRs5H5hy5Rqh0gnaV+dy9P5Dm5/4WPCXCJpeXTtDsuQKr0FlV12w=',

    ),

  ),

);

[Nicolas Roggli]

Here's the complete log of the attempt

Jun 30 16:06:59 simplesamlphp DEBUG [9f42accd3a] Session: 'lsss-staging' not valid because we are not authenticated.

Jun 30 16:06:59 simplesamlphp DEBUG [9f42accd3a] Saved state: '_50b1df25381560d1f1e07c36eacb3da0caa828550c'

Jun 30 16:06:59 simplesamlphp DEBUG [9f42accd3a] Sending SAML 2 AuthnRequest to 'http://adfs.unige.ch/adfs/services/trust'

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Sending message:

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_50b1df25381560d1f1e07c36eacb3da0caa828550c" Version="2.0" IssueInstant="2021-06-30T14:06:59Z" Destination="https://adfs.unige.ch/adfs/ls/" AssertionConsumerServiceURL="https://lsbioweb1.unige.ch/simplesaml/module.php/saml/sp/saml2-acs.php/lsss-staging" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]   <saml:Issuer>https://staging.lsss.unige.ch</saml:Issuer>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] </samlp:AuthnRequest>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Redirect to 583 byte URL: https://adfs.unige.ch/adfs/ls/?SAMLRequest=fVHLTsMwEPyVyPckdkJCsdpKhR6oVETVBg5ckONsG0uOHbI28Pmk6ZNLT9aMd8az4zGKRrd85l1t1vDlAV3w22iDfLiYEN8ZbgUq5EY0gNxJvpm9LHkSUd521llpNbmS3FYIROicsoYEi%2FmEfGa0ZNU2ydIRy3JasS0Dei%2FTHIQs00pQKcQoGWUZlSR4hw575YT0Rr0c0cPCoBPG9RRNWEjzMKUFu%2BM059nDBwnm%2FTbKCDeoauda5HEsqi1G3qgdRLIeUKwxJsHsFO3JGvQNdBvovpWEt%2FXyItZYKvsDJbs4oGpaDfvV48ZWXkPU1m08YDycSSgkDqxGxLCPvFNmR4LVsb5HZaqeuN1ceRhC%2FlwUq3D1uinIdLx350MT3fQU8Wgf7d86pxzH16MH9P%2FXp38%3D&RelayState=https%3A%2F%2Flsbioweb1.unige.ch%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dlsss-staging

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Received message:

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_b725356c-2918-42a0-b49a-035953fa9984" Version="2.0" IssueInstant="2021-06-30T14:07:00.009Z" Destination="https://lsbioweb1.unige.ch/simplesaml/module.php/saml/sp/saml2-acs.php/lsss-staging" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_50b1df25381560d1f1e07c36eacb3da0caa828550c">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.unige.ch/adfs/services/trust</Issuer>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]   <samlp:Status>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]   </samlp:Status>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]         <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]           <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]           </e:EncryptionMethod>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]           <KeyInfo>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]             <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]               <ds:X509IssuerSerial>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]                 <ds:X509IssuerName>E=myemail, CN=lsbioweb1.unige.ch, OU=BIMOL, O=UNIGE, L=Geneva, S=GE, C=CH</ds:X509IssuerName>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]                 <ds:X509SerialNumber>17296898115108749936</ds:X509SerialNumber>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]               </ds:X509IssuerSerial>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]             </ds:X509Data>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]           </KeyInfo>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]           <e:CipherData>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]             <e:CipherValue>wwxgEQxNK4u8v/u1TZ1YKq3UvAoURGZuaRtPr7GiCq3ZSL2ZLKEZE7WaGo3Lykagd8asz2cQX5KviFhXA0Gz9DR+0JvadTrw4+t5fkAj1UzkimSASNdLusmlwalAf3ggBjR6zQJ+1DYQCMisPrZrZfU+bytkz+JJwcHgay+QbW/LtoVA9ynaMswq4D1oMlYrqbdMbc2yURstTUkWOZo2O/iUq+ZWbcq+eZOasxsdrtwnE0VW0ueH1AmUTFgmWuQD7jK8kGNDdONYsCKEDrDoTmfBM179T5zbNtIsaXfqDaWuX8ELTPhFeUUreMgR3vLOBu/wMPgsttHipRZE3FLl0A==</e:CipherValue>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]           </e:CipherData>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]         </e:EncryptedKey>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]       </KeyInfo>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]       <xenc:CipherData>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]         <xenc:CipherValue>K7qz3a0jBlL3Kqp7/c6EuBPhYbSu4ini3apHjuBmAe7YGrM27IIY21964WLZPcGTBs3/3tScq98p5OYSrotYYe64ezqwWrIUuOeFEFozOplr/5h7xg0fnE9ob1z1T616FsCX9OXBa4iMQQZoZPc9DdFH2/uioBqTWCkbf7IVk1Di+vk8wPLLn9zuR6hQPVq7rdz8zmrEVNFCyE1zwRkHSJg2I/j2oFg+sjPU8Vyp8fA0r/N/Q4+iefcsAMnHSBVYIvAFfkHhXP6Bio7EnxoLDCwICTOiWUdeO7h/WQFttfLYZ4wMyV9Hgdetj/6H4ffpgBFA3A5trrDIyylY24U4zRMavx0aYOHU7RPZGnsinfSFRkK9fgGZynsoC02Kd+XhiQeY0fGgdUujFzdK7j7UDVMqmZHC3/7RaGL7Dqe/V41K2X8jTqKLDYaMYB96F9bNpWfSE+Ply7zfjt2PVC4+q49VPDaO0t7Fbgb+IW+3tf0sHuK+L/RlYv5CBZGSLSkFPg2cM6aHBww1SNf9IS1DeO3Nqa5DBKDs+E3h1OsgcmGeFZNcKwHqclqP5cWngk7iHfy6nTisZRspTyPffg7/lHUp92fNqX9tlw0CeiXSO2QH3BeEgEufQF1pTlUYudElawWakSfVCEh7J5QQsbAI6Zper+S/J2IeK7iHnBW0fhetrL/AV7Pscsad2KXmySG9y9X6LRYlQjWu3A1tFGMKzFrNdOMbrm1JIXhHX/lwpcHidUB4EZ3I7wry6U7H7EirmEnZoJvFEcVvg9cfTiZkchvx74Jj/RdMG30xeeiHtEbztrKFLlKHoclLEUT97lpodUbv/VqKQyexLZtpGWwZYeQJDjZ2VGRkeHJcsiKQF4pdt3ZxbP8LXOyhLkb4kXYPo1w9QAnyirsSAxx/XT2o0+6eFS4+Ta3PuZ9wSYz51+Qq82gT23Exq+ZgOWbAif8s5TIy6ASVUS/LTogYvs8YqkLxUv0GC87g6us3Ivr7lbL6bIFR4Gt4Y6JPvtFxEui3B7AcGRN48Jlm9J3GIRgOXk0fcIj3/omXwruPorX1GRHO2qklwBeMp6DRbjHHBDerI7MHbpyND3/Shibo+lpIU2SReyHzMtyauqP/Xd7c/otZp5vOavmT6mbXttEM6dyZgpvUJvP7QCQohO9NrC8RZ6mjN+LOt9Nth6OnuG+OTfzfieo6l+qgzuGn0U1H25kUGU0nsaLgEU6g5UeHsCQ4gBvnjy5QhJVch7rHmMu5KU9Rw+rgbFVUka+E50YERn3Yxppe7OJCmMXU+WsY2goJqq/i3rb9Dq4aJBi78RL2DS8wWUmzGG8s/eROl5+iC0Mja2FfnI/hHmgBVmA5YMmRX/GuM8dYJf4kgd13hGFHodZ5c07W9lBHKqCSukWL5JJ2k9lId6hj4di89sF2AOwBoLS6bTY5sB7xsLFjT57PE19ufJUBuCyXHvaihv7VE5c8CDb75Nc5/L4ltwO3yEKSeJCsmaBP/52PtPZq28AQQEywmPEaKVVR4uTmYsQZrnBiq+UldilimvEG8qKC1Xss/svTVaLSwrvujwKXSdNDAzOarWRNVRlaQ/6fHXdymMjTfj/G9IoXyOpzstU8Qwok50sK55kX2M+yT8V/4zx1Vg+sb4vR+QRVVzS8hyIZH+mKo6eP8ew5YnS1l1SddNjDU6QIeTe/oLgMnbCPzD1C5hx93zhoUCzQDqGwogfr49ggjgESbVfDawWkElkd1hC39HYFdEO/2mUiFMFRufUQnIgLIhU8RqaG+qaL4hA7fpdOV9/Kx9R06Z32N6Y64OKn9IO9i0grKpRbYUkhN4aVYTRxblLMQMrV7Lw8QPTJC6v4gknFf9LSMF0aSLrEt7aJmNFCzYhm1r63E9ijd+YPty4q2Ikps17kX+u4vxpCj6GwGeWeRJAHEDcFAjpuhYH/tND7beR1YmzuBvblyAJaGtS6zKMBTlVYa/A4qP4gRfjKshGryeo0DGczp5lIDhEjMaXqNKJNzCu7FJY1/GeDSVHRvOviYfxEWc+lV7IzTOo1FLLjYw6+Bhl6IrtvU32Tel5HwtVKTpRxEOsa8gJS/pTGG9xlC08HkQDBd9gxX7N8Xsw+sY5JFIeQgIf+fnpHCP2nVcFV7g0o+1O4niWG+pFkVwyQIBNjuHIXwrDOOukSzfxJ2R6diHeGK5D8dI99osc/Bt7AuSKeikQr0NeMPGGYRmEzpg1cUJiQN5meDUNU3C6vgb8nhRWGLnCVcYEKeEq/+hd54qCtOBc455HufjmEzkKl9eQ8KlaA+d2a2M0F9im2lWaYHooO6YwDHWZcwx0LpNvu4vHj/TCJ8xotHDCngkW+S2KySSd4OHiYanKr5PCc2BkC8gZzOGDWzB0gOZjTaTdweFjYhFEqiWuohsRYDJZJLAwOvR7yw0Z8q2sMo7M0Ln3jxF59iPN9G1NCoH7KJeYFOT8ViJ0pyyFPaesmmbgI7H0yR6YtqAygEwzArEmdmULTdb1MEcAlLhdw3sl+Uf7kPAFwhoCHz5BB4hCh4pzZcEsi2UxVdVT1/F1j11LfcL4fAqyCYO8aXVIRnpJ1HoHoAaaWW2RL0nPAUyHnXuMYGYYgzJOifpubX4EDHHc1CFsH4tzihglIDxWJNh3lt6g64JzKOm+HsLqI0YBg5D8LHXytNYmtlAKE5KAZ3mq1zwhcUPDjpySPgwe9mcUCxkvKTxEmadypCpE/VyreIAoG41g0BDZTd0JYqmkC+rdcEcE5sqXG2ByjR+UzldgiojEBELiOGNTm+74Jf6/wXm6BQLWW2bPL1TKY5FtdNLJGn1K1IbXhG4fdbXUugDgoDHhmx+qUBlbyKjicvvXQHem51x4vYw9XGMr8HQhh9S6zu5tc97KInFENw72Ng8czvzPx6QbFf4L1aD8WQg+Ud7h4nNRCof2OYE8fITqGRDax9PkFrL1lp4JVi7Ly3h3wp7C3OVZGONvB902cQmwGSdTL6Amgfee40mcy6wzHOyYzfd0OZiCHAdiVMh1FeirQQqF7hbdkrfBsvJJyoqFTR9/MpQbhwVF+FxeGXaAxp04dM5VRl9/bdZkRCn7dfAMNCQEPO0R9D5SPCeMcZ7oaK9qTaTStCxwsjFXQ6Us8F4sRUQC6LgFP7/Tb/ApBspNcvtzeP1qmTWpQAdeKlJvXbLKFSM7xAmHYIgUgKF1AExKTNaxi3NzXHraU+L8cjCex8WYLJ73yraVWD5FiHkv2q6JVvC3A8l4TvthbXw7VICSNieKSjr1C7UqV3GvElx1tlSF+Seri5wk8VCnmwQOW/x4Vz0MJsRFo8S/SkF/SwVKbSncyJVEAoWdYyGMPC1BEDzdfXBifcIS7Rqx28kRgQd3ykUlJo8omS4Di79f5Qm+lPRg5O1fU3yKHP+9g7xtgHTFon+eHXWX19CGlRP19xaGsRMsUFXogZOj9kb2Kl2JfoZkXY/IP7byBz+F0pqhFmL7I43asojPCLaCVfOIt7G0UuiGl1UUBwH2OYwCQMCWYmbAZteVr49ShCJRtLAaaVcNJHDbhBKjCxt6F87YPzn6oSbIWWxW1DkRQxjUJK9eALVLL7dLRo9VAUN7Q6ZeXG/qHvY+SZIadiZ3Hb84DmibBNjNSjb/B5xGtGt+EgClo7oQWF66TMcMlp1Y5Gjiw7VUFqjAjhvTZLCHPHEC+MjbOxUhq5zQbmIxlQKS61Zaoyh4I90IyN+RUkZZx0l7++pq6vvLT7Ac4+7PZiLdSYVLEuEc/JHcpp1DmTXkzQiMCFcb0Df5iEFIUswcvzb2th15iF5CtGW4abVRo/3uWYRTh8MlMM6e121sVbHiFuVOZqUGZPPemfF78IRoz6V9QD9kuJTSXYLSFlXNgOiowambjO/2oTIQxtbWMifsjX9gq/B6b2SVEhX7uk4FyoMmwS6Y9ATQgU/P6w2/zdafZy5th4aK93wi7GgGwXZnqKQsD23LudEPmZeyAIDPBure3bk94Ov3pd4OL4AHmlO4nokMYu6qttnkIjw0pb1zxykIR/mDyI+pPykLyq2gwAguskkjc9rDwR5mDJ5Rnau2xHrBshzUBBjowFmEB2WIN3CCC7b2r41e29QhVL5x59Vel2KRohm4JAsMSv/Mo7d58i8S1siXUw8DdgyBPmN4LZatsgABed3fHocqLoTIt1gQXmEheT49wlll3SgSoVLYrPTL4FbqytCJfyH2StwIFJWQ7HVgyMFtuDq4otg4NbilGPXxrKOu2PpYidWVMd7PMRtMS7od64wrh319hrJXPmBaV8mwk5fw98k52fD3Qa7Z4lQ/9rb034dzCtpiJuxPCOUS8YsI0nIeFjqeAzhWTWtC1fTfE4uO8G4WqXu6OM9MafhckgkJe7QcAFOY7/ed1vTNm0PA/18DG3izquzxZDgXD7yKKziV14LnRYOsDQ7Q9GhCsXhc370Yh9NZlQAuW2v9/mfAk0v+VDWaeGMV//tVBVJARPLPQ6mItK9lpw8ybRJIcaKngmrk7To7QjUcCqWjVf21U8a+/Pzom+ArSX1Cu4TH6hQmQZYI9GR5fhb/O1KA8P445n/QVZtvl8knxqg/vPWLFGcyxBXswX1P1fkvciVMO0o1FRryvBn7QWpEt2ROWus898HKW6S9ruTpxxQcqY3lE85PyVlqDHv/GgH78aJ9czzBNGTCCEPY2wyuilkgFEtfHrfHOkzxbXGSqSu0riILqWTMe09yImyGZM8ehU2mXIHG2MYZzlb6hiQERqxWVjXaRVHlXGhS3c0T0nmDsV+98GkaBBhvaiBaVcgEUT0cl1PnLNUgWyVy5XmZWJQANp2DcEt8XaVKY4/YGVsLpnQy0mN/nmwBaEpCRrlbROw6c1KQOIfQnJ0Bwu3gVTENlph1ucO3AK1QHGEgMB+htN6wmao8uE11G8HGkNXfofgFiSNHrIZCQ1lMX6jzfAVPqTZydV0ePC+/mCHs+pTqzwLSr7CKUYF9/3DvvnWABMItN2lFf+eQspxDjuZu2yKCPJlVhZYi9Nkqq6MO53EAkOrYSnvwXtZjKywHR83Xpni9/RzIRtEJiBChcAXVJsrA2uA13v82nWKXZh0ibZcYhvK/Kmqlp0ezHTwcEj1j1H43Uqc2leRJW+RuFsLZvo4ux/Mjlzjb+n8cPqzBYyKF4v8fe5O9lf5qHgQiVIhtZ1/nORtqQ+TAulE+leWBg9t/D+pHtgtrYqJwYoDijiPUMd1LdAga5dCKD83yZBLwgaGvI2NnFzyRA4CJ4609eGgXl5+PZRD2WYOoWRo7BUwXvrSfN/ozuBIqL/S7hxKixXbLyyJ04DB/EI4XfLH5Jsax7BZBun1gmoWRNoODw+sv2s/MFFGF+yC+IQewL1XL4LGDfj1/mY0FSaBfL6XYSgpb+bJ9E8qIYmTF3oVaZFkd1UgyPgCV0NYMDrN5zRNcSvEUH5Hhnc7fyVwNRfr77ltMZXlwL3AseB0r+STkCfoYM6R6pD5I6A75gNJSkckYPaHaeEXdZQJ6Gxnmpy4UOHGv7XTjNzqKtdOM4LIIrcF43Jp/c7uO6F8NsFDE5d1+0Dg9xv+DsQqF+xw2XaQbqUqPAxYXNhgq1ti6SzgDiQ1jMjc/M/RZwdLI/DITnVx3iBMQ+8Xc562EjbS+o6hLpkSmjjSNiEV0KPi2XRbqG6sm3wNiPOZUpWuXSZtAa6eZLoslLL9A89xkkO/FQU7wWbVMdO+CJ4Qum+xtgC2yz1JZ58fxjNGLyKmB9+OTBseSShwPMyVz0Zc66DS6l3pkcJQ8V/kKJvg957/ic8lUubhhIXYQIaAoz9B1iijnfXUeDOsHsfJIdBQBdCIRIF3ZbyCkZ+mEOqPuVnlt7IIQngmmjnmGwfWjk9ePltcFUga9ZFCeij5pEi8HqFhHKqglCfUMfqUxViNrzL0Pi3cVM4YDhdZC5xlNhkR4uwpT+JezD3DWFUMLHjO11hlmdGYe373kPWBfJvHKXIrL/d4cA9MMBEn1OY+iwjMU/mi1p87Au/Y3GH6/iYw1zswtG0TFtab5h4ggISHZv8WG3rW/sxoSE7zxEH1WejstgRVIs3QR9aiSVwKryo8U552CpPDrcwYX5dD7YqeFHHSmOkgcOdNKgQWWcJjn2FOYxHtmv5ZP2qk6SlxFnxwt4NsYtw7mMRxdw8jDms7RPkSZaVzq1qDaXNvklUGwbTozB9sOhmK/wEbaj/36FKOpEj8n3b5EvdaSPz0u2SL6P9ffnWJce83HwdH6iihwJWCRqDqkPFRe8ta7hC1yv+wXOOykCdmjqzJh3l16j7eXjFC3i6Tpktd8DlN1HwwqBcIdTeCtGh6AutSXEh/PeJHzmgpiSkL78upd1QBKy6m//jisw6CptFHhBxQwhRcq9lh1q72xy78FmMEzOKQknTmZzdV5SQEUybMX4YKX/a2FBbY6ficyc2sesLFRjUw9YCCoY1VdF5qbwulq2aPUXDOUh8ugzUQIRXOaSD4+kts5xnuk9HLmbaI/tVybFFEPHe9o/NgvD9ExJ4fnvYGF0GqgXvVw3mrziqMghL7bCqduMax7Br6KyROSOC+BUCllOTyQIdtEl02ZZELrcdi6If/idElcO8bb9SKa++Xk1XtPlHWExckmdnDUEe6ViJza1KwcLDdBhFu1yVfYStVgXd4bBDsNUuQg4CM+wnZ/t3tvIBAnf2Yw4KIO85a3ceYFOI+tyAnWLV72T9ij8fPLO4yuRLmQ5iHdrG+OJ2NIZptoRMaGfDVCmndclbIp/6A5FKKQzUORb</xenc:CipherValue>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]       </xenc:CipherData>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]     </xenc:EncryptedData>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a]   </EncryptedAssertion>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] </samlp:Response>

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Loading state: '_50b1df25381560d1f1e07c36eacb3da0caa828550c'

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Received SAML2 Response from 'http://adfs.unige.ch/adfs/services/trust'.

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Has 1 candidate keys for validation.

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] Backtrace:

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 1 /var/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 0 [builtin] (N/A)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] Caused by: Exception: Unable to extract public key

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] Backtrace:

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 5 /var/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:381 (RobRichards\XMLSecLibs\XMLSecurityKey::loadKey)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 4 /var/simplesamlphp/modules/saml/lib/Message.php:226 (SimpleSAML\Module\saml\Message::checkSign)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 3 /var/simplesamlphp/modules/saml/lib/Message.php:646 (SimpleSAML\Module\saml\Message::processResponse)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 2 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:145 (require)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 1 /var/simplesamlphp/lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] 0 /var/simplesamlphp/www/module.php:10 (N/A)

Jun 30 16:07:00 simplesamlphp ERROR [9f42accd3a] Error report with id 866baf9b generated.

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Session: Valid session found with 'admin'.

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Localization: using old system

Jun 30 16:07:00 simplesamlphp DEBUG [9f42accd3a] Translate: Reading dictionary [/var/simplesamlphp/dictionaries/errors]

[Peter Schober]

* Nicolas Roggli <n.ro...@gmail.com> [2021-06-30 16:04]:
> 'X509Certificate' =>
> 'MIIGfDCCBWSgAwIBAgIUK418vNqR7CeqSv9YF4d6yAc6d6EwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAhBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEcyMB4XDTIwMDYwOTExMzYwNVoXDTIyMDYwOTExNDYwMFowdzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2ZTEPMA0GA1UEBwwGR2VuZXZlMR0wGwYDVQQKDBRVbml2ZXJzaXRlIGRlIEdlbmV2ZTEPMA0GA1UECwwGRGlTVElDMRYwFAYDVQQDDA1hZGZzLnVuaWdlLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArE1dPFIJ5GWRlhVWYZVE9cJy0z6tI5a9r8lG7MG6e3OP+L/5lRdYO1sWKUTcQ5/0b+D7jEdp/tM4heK+/NXcADNB7TcRrgEpo5V0jI5W/UdRP38U5RhvLnv/gXHflWvdTNpcC0mNKS0Irm4y+EKABsEKUFxR8JbRup7yTNv8QR3aB07lnp7oeGWpFHgsMaMH9Neg7yRSvMsY1HLzybWUdwq0VZtUqPTZUWYEGlEGnGIQxY6Pj3wISoppaHZqgEXeCDIl7z9UdYEqYfxjUeBio05UTtQiARB6VEBw1dm1tfVbiMexFyjPuoigI9nOYsTPI3lziigqzZI3R2aFK33TBQIDAQABo4IDKDCCAyQwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSRGWKtWxenMPvwb2MubhRJzBzBggrBgEFBQcBAQRnMGUwNwYIKwYBBQUHMAKGK2h0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZzc2xnMi5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnF1b3ZhZGlzZ2xvYmFsLmNvbTAYBgNVHREEETAPgg1hZGZzLnVuaWdlLmNoMFsGA1UdIARUMFIwRgYMKwYBBAG+WAACZAEBMDYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL3JlcG9zaXRvcnkwCAYGZ4EMAQICMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdnNzbGcyLmNybDAdBgNVHQ4EFgQUBRBtWF+iLgUdMGjCrUbEg+riXBQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdwBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAXKY5vSBAAAEAwBIMEYCIQDHQnFYr9CfepaCw6Z7cNWyKfxSgh5FmqoTUGCqFwqZVgIhAP+ttMORaPswObtnHxZcbD5PCSlXJ2oHfOOUGFJ6dBjsAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFymOb06QAABAMARzBFAiEA5SIneBbYaWRub5kBGDl6HtdOFluYEk+tb0FgBnxOessCIBWweT/8/siMrkRg2M5cLfDyBFG1K3mLRAnVGtYZzwQ2AHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAFymOb0pgAABAMARjBEAiAsGviNnxBXTk9V5oIZTs7+jwQVe7iFyRT5+wPI0otGqQIgSZDyhsjNQv44gjVSklorYJaLH5Kfwzt6gwVg0bQXn6swDQYJKoZIhvcNAQELBQADggEBAJCOPC3pLuH4nE77atjyqyKx8VIzYHzvtdiv8E8Clk+VuEpe6bMl4KgHPNTaE6P7GQglnxTAyvPt0FerS+r/BLJH+o/uqLqPd9xrs94x1NRIgwESMiI+dMhAtSwhBIrOjDXw0NP3WJ4Mef4CL2CGwSHjrPE+TSdVCS4ByIqwCXC2pPTBYVldIhb0U6MadPsCXNaZjHZRUyMVLJX52IeksZn/0vAfcN3FjOa6QRlIdJ9u1kLPsUSraguZQn3RJVMGMhWc5NIXRii7KqTrtSox3l7p2TaViYPVxZUxRs5H5hy5Rqh0gnaV+dy9P5Dm5/4WPCXCJpeXTtDsuQKr0FlV12w=',

Putting that into a file, rewrapping it after 64 lines (for good
measure) and adding the PEM header and footer openssl cannot parse
this (as expected):

$ openssl x509 -noout -in file.crt
unable to load certificate
140123598652544:error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode:../crypto/pem/pem_lib.c:929:

I.e., the certificate in the metadata you have on disk is broken.

(If the log message would have made it clear this was about the cert
in metadata it would have spared the writing of 3 dozen emails today.)

-peter

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2021-06-30 16:21]:

> Putting that into a file, rewrapping it after 64 lines (for good measure)

s/lines/chars/

-peter

[Nicolas Roggli]

damn, sorry about that,

So this comes from the idp or did I screw something?

[Tim van Dijen]

I have come to the same conclusion as Peter.. Something is wrong with that certificate..
I could pull the metadata from your ADFS and check the certificates.. They are close resemblance, but they do not match..

1. So as per earlier suggestion;  Pull your ADFS metadata again from https://adfs.unige.ch/FederationMetadata/2007-06/FederationMetadata.xml

2. Run it through the SSP metadata converter

3. Save the output in metadata/saml20-idp-remote.php

@peter Feedback from the xmlseclibs-library is zero to none, which is why, as you may or may not know, we have been working on a rewrite of that library within our own control. Since resources are so slim today, I'm not sure if it will make it into SSP 2.0, but know we are working on this.. It should provide much better feedback on errors.

Op woensdag 30 juni 2021 om 16:28:23 UTC+2 schreef Peter Schober:

[Peter Schober]

* Tim van Dijen <tvd...@gmail.com> [2021-06-30 16:44]:

> @peter Feedback from the xmlseclibs-library is zero to none, which is why,
> as you may or may not know, we have been working on a rewrite of that
> library within our own control. Since resources are so slim today, I'm not
> sure if it will make it into SSP 2.0, but know we are working on this.. It
> should provide much better feedback on errors.

ACK and that would be much appreciated *but* in this case it's SSP
code that could log the context before/when it's calling out to
xmlseclibs, no (whether it's looking at a cert in metadata or
something received in a SAML protocol message).

-peter

[Peter Schober]

* Tim van Dijen <tvd...@gmail.com> [2021-06-30 16:44]:

> I could pull the metadata from your ADFS and check the
> certificates.. They are close resemblance, but they do not match..

Right, I forgot that we had established the actual IDP identity and
that it publishes its metadata... Indeed, the cert as stored in SSP is
missing the string "3jkls" in the middle somewhere, otherwise they are
identical.

(And no, I can't come up with an explanation how that would happen,
but clearly they're not identical so the only possible cause -- other
than PEBKAC -- would be in the metadata converter and that seems
somewhat unlikely given the number of uses that code will see.)

-peter

[Tim van Dijen]

@Peter At this point I think SSP doesn't consider the certificates in messages at all... Simply because the current saml2-library only implements a minor part of the ds/xenc structures.
For our new xmlsec/saml2 lib we intent to implement every single element from the spec. I'd say it's 80% ready, but the entire API has changed.. That's why I hope to  finish it ASAP, so we can include it in SSP 2.0
There's much to be improved, but I kinda refuse to put a lot of time and effort in code that's been there for over a decade..  We have to pick our battles!~

Another fun fact that some people on this list may or may not know is that SimpleSAMLphp was adopted as a project by the Commons Conservancy and we have an actual board today that should be able to pull a few string and raise some fund / gather some dev resources.
I'm motivated to get this project back up to 2021 standards!

Op woensdag 30 juni 2021 om 16:52:33 UTC+2 schreef Peter Schober:

[Tim van Dijen]

Hard to say.. Even if your ADFS metadata was old, it shouldn't have an issue parsing the certificates..
Be adviced that refreshing the ADFS metadata is a periodical event, based on the certificate lifetime of the ADFS certificates. Usually yearly / bi-yearly based on your corporate policy.

Op woensdag 30 juni 2021 om 16:37:13 UTC+2 schreef n.ro...@gmail.com:

[Nicolas Roggli]

You guys rock!

I had it to work now.The difference, from my side, is that I curl the xml and uploaded the file in the converter, this instead of copy-pasting the xml to the form.

Thank you again for your help, and your time

Nicolas

[Tim van Dijen]

My guess, and this happens a lot, is that you tried to copy-paste the metadata from IE/Edge into the metadata converter....
If you open an xml in a browser, just save it to disk before you do anything with it.. Some browsers will parse the xml and copy-pasting the parsed xml will break stuff

Glad we could help!

Op woensdag 30 juni 2021 om 17:06:23 UTC+2 schreef n.ro...@gmail.com: