Re: Anyone know how to resolve this SimpleSAMLphp error: “error no valid unique id attribute set in”?

[Steve Moitozo II]

This error is coming from the Drupal simplesamlphp_auth module. It happens when the module is configured to use an attribute that is either not passed by the IdP or is not populated for the current user. You can use the SAML tracer add-on for Firefox to make sure the attribute you configured in the Drupal module is being populated. 

-S2

--

Steve Moitozo II

On Aug 27, 2012, at 3:20 PM, Don Vaillancourt <vaillanc...@gmail.com> wrote:

The error I'm getting is:

Exception: error in simplesamlphp_auth.module: no valid unique id attribute set in _simplesamlphp_auth_get_authname() (line 578 of C:\Zend\Apache2\drupal\sites\all\modules\contrib\simplesamlphp_auth\simplesamlphp_auth.module).

I've traced through the code and the only thing I can find which is relevant is the following web page; specifically section 4.5.

So I added the attributes section to the following entry in authsources.php on the SP.

'default-sp' => array(
    'saml:SP',
    'entityID' => NULL,
    'idp' =>  'https://idp.aicpcu.org/simplesaml/saml2/idp/metadata.php', 
    'discoURL' => NULL,
    'attributes' => array(
        'eduPersonPrincipalName',
        'mail',
        )
    'attributes.required' => array (
        'eduPersonPrincipalName',
        ),
    'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',     

    ),

But I'm still getting an error. Anyone have any ideas?

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To view this discussion on the web visit https://groups.google.com/d/msg/simplesamlphp/-/lOxBqr5_f-gJ.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

[Mark Drummond]

Silly question ... how do we know the name of the attribute(s) simplesamlphp_auth is expecting? Troubleshooting a setup here. SAML Tracer isn't showing me anything obvious.

[Shoaib Ali]

Mark, have you configured simpleSAMLphp module in Drupal? You need to add mail attribute where it asks for unique identifier attribute. SAMLTracer will tell you all the attributes that are coming from IdP. Please make sure you can see mail attribute inside the XML shown by SAMLtracer.

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

To post to this group, send email to simple...@googlegroups.com.

Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Mark Drummond]

This is a dev/test configuration I've picked up from someone who is no longer with my organization, and we are SAML neophytes. I'm not sure of the complete current state of the simpleSAMLphp configuration. I've updated the IDP configuration data in saml20-idp-remote.php, and updated the 'idp' parameter in authsources.php to refer to the entityid name of the IDP in saml20-idp-remote.php:

authsources.php:

'default-sp' => array(
  'saml:SP',

  'idp' => 'AdvisorsIDP',
),

saml20-idp-remote.php:

$metadata['AdvisorsIDP'] = array (
  'entityid' => 'AdvisorsIDP',
  'contacts' =>
  array (
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' =>
  array (
.
.
.

Snipped for brevity. The rest is just the content from the conversion of the IDP XML data using the simpleSAMLphp converter.

I don't see any reference to the mail attribute, or any other attribute for that matter, in the GET or the POST. Using the authentication test feature in the simpleSAMLphp webUI, I can successfully authenticate but the "Your Attributes" section is completely blank.

I'm still poking away at this. I'll let you know if I find anything else.

Thx.

[Mark Drummond]

Ok, learning as I go here. I'm all fixed up. The IDP was not sending any attributes back at all. I added a few common ones (mail, uid, cn) and authentication is working.

Thanks for your help!

[Dick Visser]

Just remember to pick an appropriate attribute for use as identifier.
You might be tempted to use e-mail address, but realise that this
might not be so unique.
It all depends on the IdP, since you trust that to provide it. Maybe
uid is better suitable.

Dick Visser

> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.

--
Dick Visser
Sr. System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands