No attributes getting back from IDP

[nate]

I have SimpleSAMLPhp configured as SP. It looks like I can connect to IdP successfully but I am not getting any attributes back from IdP.

Here is my authsources.php file with attributes. Please let me know why I am not getting the attributes from IdP even though I specified. What am I doing wrong?

 'default-sp' => array(
        'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',

        'attributes' => array(
            'email' => 'urn:oid:1.2.840.113549.1.9.1',
            'emailAddress' => 'urn:oid:1.2.840.113549.1.9.1',
            'employeeNumber' => 'urn:oid:2.16.840.1.113730.3.1.3',
        ),

I checked log file and I see the following error message.

simplesamlphp ERROR [79c08a746e] SimpleSAML_Error_NoState: NOSTATE
simplesamlphp ERROR [79c08a746e] Backtrace:
simplesamlphp ERROR [79c08a746e] 2 C:\simplesamlphp-1.13.2dev\lib\SimpleSAML\Auth\State.php:225 (SimpleSAML_Auth_State::loadState)

[Jaime Perez Crespo]

Hi Nate,

That has nothing to do with attributes missing. If you get such an error in your logs, you will also get a nice exception message in the browser, not an empty attribute list.

You are not getting any attributes most likely because the IdP is not sending them. Use SAML tracer to check the assertions you receive from the IdP, and see if there’s any attributes in there. If not, you’ll need to contact the IdP and ask them why they are not sending you attributes.

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Peter Schober]

* nate <nram...@gmail.com> [2015-03-23 02:38]:

> I checked log file and I see the following error message.
>
> simplesamlphp ERROR [79c08a746e] SimpleSAML_Error_NoState: NOSTATE

https://code.google.com/p/simplesamlphp/wiki/LostState

-peter

[Thijs Kinkhorst]

It may be a good idea to move this to simplesamlphp.org as Google Code
is shutting down.


Cheers,
Thijs

[Peter Schober]

* Thijs Kinkhorst <thijs.k...@surfnet.nl> [2015-03-23 11:29]:

I said this before
(e.g. https://groups.google.com/d/msg/simplesamlphp/i35IcFJNpr8/7F2fFEBqEr8J )
as I never understood why the answer to the most frequently asked
question and one of the main headaches for deployers of SimpleSAMLphp
wasn't part of the SSP documentation proper.
Maybe this will now trigger the necessary actions or do we need to
open an issue about this?
-peter

[nate]

Jaime,

Thanks for the reply. I checked the assertions getting back from IDP using SAML Tracer. I see the following response from Tracer. Why SimpleSAMLPhp is not grabbing these attributes?

<samlp:Response ID="_6er4e9ed-t912-47e0-be3c-78b12345b322"
                Version="2.0"
                IssueInstant="2015-03-26T18:51:59.825Z"
                Destination="https://SPServerName/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo=""
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://IdpServername/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_1234adb2-1234-8844-9d9b-efa5b812345b"
               IssueInstant="2015-03-26T18:51:59.825Z"
               Version="2.0"
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               >
        <Issuer>https://IdpServername/adfs/services/trust</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        </ds:Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">emaila...@company.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_12345ed1234417c884ee1234bdb4f8a123db12cb6f"
                                         NotOnOrAfter="2015-03-26T18:56:59.825Z"
                                         Recipient="https://SPServerName/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                                         />
            </SubjectConfirmation>
        </Subject>
    </Assertion>
</samlp:Response>

[Peter Schober]

* nate <nram...@gmail.com> [2015-03-26 21:23]:

> Thanks for the reply. I checked the assertions getting back from IDP using
> SAML Tracer. I see the following response from Tracer. Why SimpleSAMLPhp is
> not grabbing these attributes?

Because there are no attributes there, as simple as that.
(Attributes come in <Attribute> elements, with <AttributeValue>
child elements. There are none.)

In case you're referring to the NameID sent, you can get that, too, as
per the documentation. SimpleSAMLphp home page -> Hosted SP
Configuration Reference -> search for "NameID":
https://simplesamlphp.org/docs/stable/saml:sp#section_3
"To retrieve these attributes, the application can use the
getAuthData()-function from the SP API."
Since per the docs you want "saml:sp:NameID" that makes it:
$nameid = $auth->getAuthData('saml:sp:NameID');
With $auth being an instance of your auth source object, as in
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_1

> <Subject>
> <NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">emaila...@company.com</NameID>

That NameID (either the value or the Format or both) is bogus and
illegal, of course. Clearly an email address is not a transient value.
(Cf. https://en.wiktionary.org/wiki/transient )
If the Format is what is desired the valued needs to be different.
If the value is what is desired, the format needs to be set to
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".

-peter

[nate]

Thank you Peter. I contacted IDP people about the Attributes. They said SP is not requesting any attributes. Here is SP metadata generated by SimpleSAMLPHP and sent to IDP. Do I have to to request Attributes? Please let me know. I am not sure how to change this generated Metadata.

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://SPServerName/simplesaml/module.php/saml/sp/metadata.php/default-sp">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate></ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate></ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://SPServerName/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://SPServerName/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://SPServerName/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://SPServerName/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://SPServerName/simplesaml/module.php/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/>
  </md:SPSSODescriptor>
  <md:ContactPerson contactType="technical">
    <md:GivenName>Administrator</md:GivenName>
    <md:EmailAddress>emailA...@example.com</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

[Peter Schober]

* nate <nram...@gmail.com> [2015-03-27 14:51]:

> Thank you Peter. I contacted IDP people about the Attributes. They said SP
> is not requesting any attributes. Here is SP metadata generated by
> SimpleSAMLPHP and sent to IDP. Do I have to to request Attributes?

Whether you have to request attributes by listing them in SAML
Metadata in order for the IDP to release any to you or not is not a
technical/software question this list can answer.
If you need attributes released from the IDP and the IDP is willing to
send them solely based on the fact that you request them in metadata,
well, why not do just that?
-peter

[nate]

Thanks Peter. I have this PHP code to return 'NameID'. The code redirecting to to the SimpleSAMLPhp admin 'Select your Identity Provider'  page. I selected the Identity Provider from the dropdown list and clicked on 'Select' button then it shows the 'NameID'. I would like to display the NameID parameter without redirecting to the Admin page. Please let me know if I am doing something wrong here.

I appreciate your help.

test.php
--------------------

<?php
require_once ('../../../simplesamlphp-1.13.2dev/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple( 'default-sp' );
$as->requireAuth();
$nameid = $as->getAuthData('saml:sp:NameID');
print_r( $nameid );
?>

[nate]

I tried to specify default IDP = 'https://IDPServer.com' in authsources.php file. But this time code stopped working. I am going to through the documentation but couldn't find any details. I am almost end of this project and got stuck at this point. I do not want to redirect to the ADMIN page. Please pardon if it is a dumb question.