simpleSAMLphp SP with a Shibboleth2.0 IDP

99 views
Skip to first unread message

Nuno Gonçalves

unread,
Dec 19, 2008, 6:00:44 AM12/19/08
to simple...@googlegroups.com
Hello all,

Trying to setup a simpleSAMLphp (SP SAML2) to speak with a
Shibboleth2.0 IDP through a Discovery Service.

Noticed that the simpleSAMLphp SP sends a request like this to the
Discovery Service which is php based (switch version that supports
saml2):

https://wayf_url/DS/?SAMLRequest=jVJNj9MwED0nvyLyvXG%2BWjZWW6m0WlFpWaJt4cAFTZMJtZQ4wTPpsv8eJ0u1cKBC9mk87817b7wkaJtebQY%2Bmyf8MSBx4Hs%2F28aQmp5WYrBGdUCalIEWSXGpDpuPDyoJI9Xbjruya0TwBrmNACK0rDsjfG%2B%2FW4lvixzzOkvxBFldzcs8TbMoTt%2FlVb2I51mUANyV%2BfyUZokIvqAlB10JxzTiiQbcG2Iw7GpRdDeLk1mcH%2BNIpQt3v4rgvrMlTvZWooaGUAR7KpwKfcFrxfd2zrc2wBP5mbknJeUzvNRhXZYm7FllWSbvt9tHsO44RPHb%2BXttKm2%2B3zZ9em0i9eF4LGbFp8PRMWyuSWw7Q0OL9oD2okv8%2FPTwpkFXfYjVxWkLDbIEZ0SOISeSevkvhrA%2F92Lte8uxU00p2WD9X5QtMlTAMFIs5R%2F4K12vHp29%2Fa7oGl2%2B%2BJ7nAm6Bb%2FsfK7qa1VOrYguGNBp2IXibpumetxaB3TrYDm4%2F0s3yX4f%2F%2FTPX%2Fi8%3D&RelayState=https%3A%2F%2Fidp.url.pt%2Fauth%2Fexample-simple%2Fsaml2-example.php

This is the request that a Shibboleth2 SP send to the DS:
https://wayf_url/DS/?entityID=https%3A%2F%2Fidp.url.pt&return=https%3A%2F%2Fsp.fccn.pt%2FShibboleth.sso%2FDS%3FSAMLDS%3D1%26target%3Dcookie

Therefore when the simplesamlphp SP's request arrives to the wayf It
says that It misses some variables. Can notice the entitiID and the
return variable missing.
But of course I'm using the switch php wayf which might not work with
simpleSAMLphp, first time that i am trying it.
Anyway if simpleSAMLphp has a wayf mechanism that can use shibboleth
IDPs, it might be a better solution.

I think it probably might be a misconfiguration on the simpleSAMLphp
SP from my side as I am really a newbie on simplesamlphp and I don't
know if the request that the simpleSAMLphp might be different if
properly configured.

Got the following scenarios working:

Shib2.0 SP - DS - simpleSAMLidp
SimpleSAMLphp SP - wayf - Shib1.3 idp
SimpleSAMLphp SP - SimpleSAMLphp idp

Now I am trying to accomplish the following scenarios:

simpleSAMLphp Service Provider (SAML2) - DS/WAYF - Shibboleth 2.0
Identity Provider (SAML2)
simpleSAMLphp Service Provider (SAML2) - DS/WAYF - simpleSAMLphp
Identity Provider (SAML2)

Any link to WAYF/DS documentation will be really appreciated

thanks for your time and patience


Nuno Gonçalves

Andreas Åkre Solberg

unread,
Dec 19, 2008, 5:36:33 PM12/19/08
to simple...@googlegroups.com
On 19. des.2008, at 12:00, Nuno Gonçalves wrote:


Hello all,

Trying to setup a simpleSAMLphp (SP SAML2) to speak with a  
Shibboleth2.0 IDP through a Discovery Service.

Important: in SAML 2.0 it's not "through". a separate message exchange s performed between the SP and the disco service before the request is sent to the idp.

Noticed that the simpleSAMLphp SP sends a request like this to the  
Discovery Service which is php based (switch version that supports  
saml2):

Then something is misconfigured. The message below is an authnrequest, which is sent to the IdP and not the disco service.

To configure the WAYF, look in config.php for the following setting:
'idpdisco.url.saml20' => 'https://wayf_url/DS/',

To enable the use of the disco service configured above, set the default IdP to be null:
'default-saml20-idp' => null,

Anyway if simpleSAMLphp has a wayf mechanism that can use shibboleth  
IDPs, it might be a better solution.

Yes, simpleSAMLphp has a built in discovery service. That is enabled by setting both parameters to ull:
'idpdisco.url.saml20' => 'https://wayf_url/DS/',
'default-saml20-idp' => null,

Then the disco service presents all the idps that is configured. To automatically download and trust metadata from a shibboleth federation, you should enable the metarefresh module. This is not well documented yet, but let us know when you are ready, then we may send you some notes about this.

Merry christmas,

Andreas


-- 
Andreas Åkre Solberg 
=andreas



Nuno Gonçalves

unread,
Jan 28, 2009, 12:30:07 PM1/28/09
to simple...@googlegroups.com
Hi Andreas,

Hope that everything is fine with you.

Do you have any news about the metarefresh and cron module on simpleSAMLphp in order to download a metadata file ? Is there any documentation that we can look at ?

The main idea is to download a federation metadata xml file from a server and processing it at the simplesamlphp server.

thanks,
and best regards

Andreas Åkre Solberg

unread,
Jan 29, 2009, 2:47:27 AM1/29/09
to simple...@googlegroups.com

On 28. jan.2009, at 18:30, Nuno Gonçalves wrote:

> Hope that everything is fine with you.
>
> Do you have any news about the metarefresh and cron module on
> simpleSAMLphp in order to download a metadata file ? Is there any
> documentation that we can look at ?

No official doc yet, only notes here and there.

But I'd be happy to help you out with this. I really need testers for
this functionality, because it's implemented but not much tested.

I'll write documentation as we progress. First I have some questions...

> The main idea is to download a federation metadata xml file from a
> server and processing it at the simplesamlphp server.

Great. Do you have this metadata document already? How is it
generated? are you joining a shibboleth federation? Is the metadata
document signed? Can you provide me with the URL to the metadata, and
then I can test if things work?

Nuno Gonçalves

unread,
Jan 30, 2009, 4:58:35 AM1/30/09
to simple...@googlegroups.com
Hi Andreas,

we tested the modules cron and refresh metadata and wrote two text files with the required steps and with some questions as well as with some things that we are not sure if are correct .

We made it work with a shibboleth metadata file on a simpleSAMLphp.

We are not signing metatada yet and it is generated by hand. Although we are planing on using the switch's resource registry in order to do it in a more accurate way.
Just let us know what you think about it.

thanks for your help

best regards

Nuno
1 - enable_module_cron.txt
2 - enable_module_metarefresh.txt

Andreas Åkre Solberg

unread,
Mar 13, 2009, 1:20:13 PM3/13/09
to simple...@googlegroups.com

On 30. jan.2009, at 10:58, Nuno Gonçalves wrote:

> we tested the modules cron and refresh metadata and wrote two text
> files with the required steps and with some questions as well as
> with some things that we are not sure if are correct .
>
> We made it work with a shibboleth metadata file on a simpleSAMLphp.
>
> We are not signing metatada yet and it is generated by hand.
> Although we are planing on using the switch's resource registry in
> order to do it in a more accurate way.
> Just let us know what you think about it.

Great! Thanks for the contribution. I added the text to this document:

https://rnd.feide.no/content/automated-metadata-distribution-with-simplesamlphp

I'll go through and make the document more complete later...

Reply all
Reply to author
Forward
0 new messages