SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
2,600 views
Skip to first unread message
Louis DeWeaver III
Jan 31, 2014, 8:54:03 AM1/31/14
to simple...@googlegroups.com
Im using simplesamlphp as the IDP
The SP has imported the metadata and now there is another error.
The SP has a SSO link where our users sAMAccountName and Password is entered
The user is then redirected to the simplesamlphp loginuserpass.php page where the sAMAccountName and Password is entered again
Then the following error appears
The SP has imported the metadata and now there is another error.
The SP has a SSO link where our users sAMAccountName and Password is entered
The user is then redirected to the simplesamlphp loginuserpass.php page where the sAMAccountName and Password is entered again
Then the following error appears
Unhandled exception
An unhandled exception was thrown.
If you report this error, please also report this tracking number
which makes it possible to locate your session in the logs available to
the system administrator: b31f326d9b
Debug information
The debug information below may be of interest to the administrator / help desk:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace: 0 /var/www/simplesamlphp/www/module.php:180 (N/A) Caused by: Exception: Failure Signing Data: error:0906A068:PEM routines:PEM_do_header:bad password read - 1 Backtrace: 19 /var/www/simplesamlphp/lib/xmlseclibs.php:503 (XMLSecurityKey::signOpenSSL) 18 /var/www/simplesamlphp/lib/xmlseclibs.php:542 (XMLSecurityKey::signData) 17 /var/www/simplesamlphp/lib/xmlseclibs.php:1217 (XMLSecurityDSig::signData) 16 /var/www/simplesamlphp/lib/xmlseclibs.php:1236 (XMLSecurityDSig::sign) 15 /var/www/simplesamlphp/lib/SAML2/Utils.php:345 (SAML2_Utils::insertSignature) 14 /var/www/simplesamlphp/lib/SAML2/Assertion.php:1102 (SAML2_Assertion::toXML) 13 /var/www/simplesamlphp/lib/SAML2/Response.php:76 (SAML2_Response::toUnsignedXML) 12 /var/www/simplesamlphp/lib/SAML2/Message.php:377 (SAML2_Message::toSignedXML) 11 /var/www/simplesamlphp/lib/SAML2/HTTPPost.php:27 (SAML2_HTTPPost::send) 10 /var/www/simplesamlphp/modules/saml/lib/IdP/SAML2.php:75 (sspmod_saml_IdP_SAML2::sendResponse) 9 [builtin] (call_user_func) 8 /var/www/simplesamlphp/lib/SimpleSAML/IdP.php:268 (SimpleSAML_IdP::postAuthProc) 7 /var/www/simplesamlphp/lib/SimpleSAML/IdP.php:312 (SimpleSAML_IdP::postAuth) 6 [builtin] (call_user_func) 5 /var/www/simplesamlphp/lib/SimpleSAML/Auth/Default.php:126 (SimpleSAML_Auth_Default::loginCompleted) 4 [builtin] (call_user_func) 3 /var/www/simplesamlphp/lib/SimpleSAML/Auth/Source.php:140 (SimpleSAML_Auth_Source::completeAuth) 2 /var/www/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:223 (sspmod_core_Auth_UserPassBase::handleLogin) 1 /var/www/simplesamlphp/modules/core/www/loginuserpass.php:63 (require) 0 /var/www/simplesamlphp/www/module.php:135 (N/A)
Report errors
Optionally enter your email address, for the administrators to be able contact you for further questions about your issue:
Peter Schober
Jan 31, 2014, 9:25:17 AM1/31/14
to simple...@googlegroups.com
* Louis DeWeaver III <ldewea...@gmail.com> [2014-01-31 14:54]:
"again" at the IDP?
> Caused by: Exception: Failure Signing Data: error:0906A068:PEM routines:PEM_do_header:bad password read - 1
I'm guessing the private key you supplied to SSP for securing SAML
messages is encrypted (i.e., has a password on it), and either you
supplied none or the wrong one or SSP doesn't support encrypted
private keys (I'd have to look at the documentation, but you can also
do that, of course).
In cases 1 and 2, well, supply the correct password. In case 3 you'd
need to remove the passphrase from the key, using any of gazillion
instructions available on the web.
-peter
> The SP has a SSO link where our users sAMAccountName and Password is entered
> The user is then redirected to the simplesamlphp loginuserpass.php page
> where the sAMAccountName and Password is entered again
Wait, what? Subjects are entering their credentials at the SP and
> The user is then redirected to the simplesamlphp loginuserpass.php page
> where the sAMAccountName and Password is entered again
"again" at the IDP?
> Caused by: Exception: Failure Signing Data: error:0906A068:PEM routines:PEM_do_header:bad password read - 1
messages is encrypted (i.e., has a password on it), and either you
supplied none or the wrong one or SSP doesn't support encrypted
private keys (I'd have to look at the documentation, but you can also
do that, of course).
In cases 1 and 2, well, supply the correct password. In case 3 you'd
need to remove the passphrase from the key, using any of gazillion
instructions available on the web.
-peter
Louis DeWeaver III
Jan 31, 2014, 9:37:30 AM1/31/14
to simple...@googlegroups.com, peter....@univie.ac.at
I think maybe I do have the wrong key. here is my saml20-idp-hosted.php file below
<?php
/**
* SAML 2.0 IdP configuration for simpleSAMLphp.
*
* See: https://rnd.feide.no/content/idp-hosted-metadata-reference
*/
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to the cert directory. */
'privatekey' => 'star.healthplus.org.pem',
'certificate' => 'star.healthplus.org.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'HPM-AUTH',
/* Uncomment the following to use the uri NameFormat on attributes. */
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
<?php
/**
* SAML 2.0 IdP configuration for simpleSAMLphp.
*
* See: https://rnd.feide.no/content/idp-hosted-metadata-reference
*/
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to the cert directory. */
'privatekey' => 'star.healthplus.org.pem',
'certificate' => 'star.healthplus.org.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'HPM-AUTH',
/* Uncomment the following to use the uri NameFormat on attributes. */
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
Peter Schober
Jan 31, 2014, 9:42:37 AM1/31/14
to simple...@googlegroups.com
* Louis DeWeaver III <ldewea...@gmail.com> [2014-01-31 15:37]:
key was (a) correct (for verying defintions of "correct") and (b)
encrypted/password-protected?
And *don't* post the content of your private key here (or anywhere
else)! Yes, we've had that before.
-peter
> I think maybe I do have the wrong key. here is my saml20-idp-hosted.php
> file below
[...]
> file below
> /* X.509 key and certificate. Relative to the cert directory. */
> 'privatekey' => 'star.healthplus.org.pem',
> 'certificate' => 'star.healthplus.org.crt',
How do you imagine would that help others to determine whether that
> 'privatekey' => 'star.healthplus.org.pem',
> 'certificate' => 'star.healthplus.org.crt',
key was (a) correct (for verying defintions of "correct") and (b)
encrypted/password-protected?
And *don't* post the content of your private key here (or anywhere
else)! Yes, we've had that before.
-peter
Louis DeWeaver III
Jan 31, 2014, 9:46:32 AM1/31/14
to simple...@googlegroups.com, peter....@univie.ac.at
I'm new to this sso cut me a break. Im not sure which pem file to use or where to place it in my configuration so this works. I came on here for help not to be talked down too.
Thijs Kinkhorst
Jan 31, 2014, 9:52:52 AM1/31/14
to simple...@googlegroups.com, Louis DeWeaver III
Op vrijdag 31 januari 2014 15:46:32 schreef Louis DeWeaver III:
to the concepts, but at some point we cannot decide what is "right" for their
setup, this is something they have to find out by reading up on the material
and understanding what's happening. Verifying whether your key is password
protected is not something that anyone can do remotely via a mailinglist,
regardless of how much they want to. So it doesn't help to ask. You need to
investigate this yourself.
--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
> I'm new to this sso cut me a break. Im not sure which pem file to use or
> where to place it in my configuration so this works. I came on here for
> help not to be talked down too.
I will have to side with Peter on this: we understand that people may be new
> where to place it in my configuration so this works. I came on here for
> help not to be talked down too.
to the concepts, but at some point we cannot decide what is "right" for their
setup, this is something they have to find out by reading up on the material
and understanding what's happening. Verifying whether your key is password
protected is not something that anyone can do remotely via a mailinglist,
regardless of how much they want to. So it doesn't help to ask. You need to
investigate this yourself.
--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
Peter Schober
Jan 31, 2014, 9:59:02 AM1/31/14
to simple...@googlegroups.com
* Louis DeWeaver III <ldewea...@gmail.com> [2014-01-31 15:46]:
determining whether that key is "correct" (or provide any new
technical information).
Noone other than you can know what is the "right" key. It is the key
pair you use for/with your IDP, the public key portion of which you
give to relying parties (via SAML metadata or otherwise).
Try this on the command line (assuming Unix, otherwise open with
Notepad.exe and look for the word "ENCRYPTED" yourself):
$ fgrep ENCRYPTED *key*
If that produced output (or you find the word with Notepad.exe) your
private key is encrypted and you need to supply a password to SSP in
order to be able to use it, per the documentation[1].
If not, try
$ head -1 *key*
and make sure the output is:
-----BEGIN RSA PRIVATE KEY-----
If not try finding out what kind of file that is.
-peter
[1] option "privatekey_pass" as documented at
http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted#section_1
> I'm new to this sso cut me a break. Im not sure which pem file to use or
> where to place it in my configuration so this works. I came on here for
> help not to be talked down too.
Possibly contrary to your expectation that does not help in
> where to place it in my configuration so this works. I came on here for
> help not to be talked down too.
determining whether that key is "correct" (or provide any new
technical information).
Noone other than you can know what is the "right" key. It is the key
pair you use for/with your IDP, the public key portion of which you
give to relying parties (via SAML metadata or otherwise).
Try this on the command line (assuming Unix, otherwise open with
Notepad.exe and look for the word "ENCRYPTED" yourself):
$ fgrep ENCRYPTED *key*
If that produced output (or you find the word with Notepad.exe) your
private key is encrypted and you need to supply a password to SSP in
order to be able to use it, per the documentation[1].
If not, try
$ head -1 *key*
and make sure the output is:
-----BEGIN RSA PRIVATE KEY-----
If not try finding out what kind of file that is.
-peter
[1] option "privatekey_pass" as documented at
http://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted#section_1
Peter Schober
Jan 31, 2014, 10:00:01 AM1/31/14
to simple...@googlegroups.com
* Thijs Kinkhorst <th...@uvt.nl> [2014-01-31 15:53]:
-peter
> I will have to side with Peter on this
"On this"? You usually don't?!!! ;)
-peter
Jaime Pérez Crespo
Jan 31, 2014, 10:38:08 AM1/31/14
to simple...@googlegroups.com
I must agree with Peter (and Thijs). In this mailing list we try to help everyone with their questions and doubts regarding simpleSAMLphp. Most of the time, however, questions have nothing to do with SSP specifically but with PHP / sysadmin / SSO issues, and in most cases, even those get answered. I can understand that when someone’s not familiar with a topic, it’s not easy to discern what’s the problem related to, so it’s difficult to ask the right questions in the right places.
Anyway, the minimum that anybody freely employing his time in helping others out would expect, is that questions are thrown here after a bit of self research, and at least, having read the documentation. A huge percentage of the questions placed in the list could perfectly be answered with lmgtfy.com. Everybody is welcome to come here for help, in the same way everybody is expected to do their part of the job.
That said, you shouldn’t take Peter’s words like that. He’s helping a lot of people here, and doing a great job. In a way, his tone might sound like he is losing patience, but he is just trying to be crystal clear and get to the point, so that you can find a solution to your problem as soon as possible.
Now, one final detail. I must agree with Peter (again), and remark that providing username and password in the SP is a terrible idea. It’s not necessary in any way, it ruins usability, and has really bad security consequences, defeating the whole purpose of what a single-sign-on system is meant for.
Have a nice weekend you all,
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Louis DeWeaver III
Jan 31, 2014, 11:04:40 AM1/31/14
to simple...@googlegroups.com, peter....@univie.ac.at
Thanks peter you have been a great help. I know I need to post my issues clear so its not just garbage sorry if i offended anyone.
Louis DeWeaver III
Jan 31, 2014, 1:49:02 PM1/31/14
to simple...@googlegroups.com
How is the metadata file generated on the system when you give an SP the URL like https://mycompany.org/simplesaml/saml2/idp/metadata.php. The reason I ask is because I had to change the certificate and private key file on the simplesamlphp server. Will this also update the change in the metadata.php.
Peter Schober
Feb 1, 2014, 8:46:21 AM2/1/14
to simple...@googlegroups.com
* Louis DeWeaver III <ldewea...@gmail.com> [2014-01-31 19:49]:
that changed certificate also show up in metadata? You don't need
someone else to figure that out.
(To ansert the general question: Yes, it should have changed
automatically. SSP generates the metadata automatically based on the
software configuration.)
-peter
> How is the metadata file generated on the system when you give an SP the
> URL like https://mycompany.org/simplesaml/saml2/idp/metadata.php. The
> reason I ask is because I had to change the certificate and private key
> file on the simplesamlphp server. Will this also update the change in the
> metadata.php.
Well, did it? You've changed the certificate in SSP configuration, did
> URL like https://mycompany.org/simplesaml/saml2/idp/metadata.php. The
> reason I ask is because I had to change the certificate and private key
> file on the simplesamlphp server. Will this also update the change in the
> metadata.php.
that changed certificate also show up in metadata? You don't need
someone else to figure that out.
(To ansert the general question: Yes, it should have changed
automatically. SSP generates the metadata automatically based on the
software configuration.)
-peter
Reply all
Reply to author
Forward
0 new messages