how to retrieve SAMLResponse param
346 views
Skip to first unread message
Alexander I
Dec 2, 2013, 8:21:41 AM12/2/13
to simple...@googlegroups.com
im trying to implement the idp first flow so im hitting this url
https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=sp.example.org
it takes me the login form of my idp i login successfully and taken back to the sp everything is fine so far but
how can i catch the POST SAMLResponse parameter with php that i see in the POST data tab in httpFox ?
var_dump($_REQUEST);
on the landing page doesnt contain it
the httpFox row
POST 303 Redirect to: http://sp.domain.net/getpost.php http://idp.domain.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
my sp is not using simpleSAMLphp
https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=sp.example.org
it takes me the login form of my idp i login successfully and taken back to the sp everything is fine so far but
how can i catch the POST SAMLResponse parameter with php that i see in the POST data tab in httpFox ?
var_dump($_REQUEST);
on the landing page doesnt contain it
the httpFox row
POST 303 Redirect to: http://sp.domain.net/getpost.php http://idp.domain.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
my sp is not using simpleSAMLphp
Peter Schober
Dec 2, 2013, 8:41:44 AM12/2/13
to simple...@googlegroups.com
* Alexander I <websur...@gmail.com> [2013-12-02 14:21]:
[...]
-peter
> how can i catch the POST SAMLResponse parameter with php that i see in the POST
> data tab in httpFox<https://addons.mozilla.org/En-us/firefox/addon/httpfox/>?
[...]
> my sp is not using simpleSAMLphp
Via whatever method your SP implementation offers.
-peter
Alexander
Dec 2, 2013, 8:43:20 AM12/2/13
to simple...@googlegroups.com
so its not possible with plain php ?
> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/groups/opt_out.
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/groups/opt_out.
Peter Schober
Dec 2, 2013, 8:48:22 AM12/2/13
to simple...@googlegroups.com
* Alexander <websur...@gmail.com> [2013-12-02 14:43]:
At the IdP, where the data originates from, you can set SSP to debug
(for, well, debuggig).
Or in transit, from the web browser (again for debugging, though the
payload should be encrypted to the SAML SP).
Or at the SAML SP. About which we can't say anything since all we know
about it is that it's not SimpleSAMLphp.
-peter
> so its not possible with plain php ?
*Where* to you want to grab the data?
At the IdP, where the data originates from, you can set SSP to debug
(for, well, debuggig).
Or in transit, from the web browser (again for debugging, though the
payload should be encrypted to the SAML SP).
Or at the SAML SP. About which we can't say anything since all we know
about it is that it's not SimpleSAMLphp.
-peter
Alexander
Dec 2, 2013, 8:52:20 AM12/2/13
to simple...@googlegroups.com
i want to grab it at the sp
decode
display it on the sp
decode
display it on the sp
Peter Schober
Dec 2, 2013, 9:12:42 AM12/2/13
to simple...@googlegroups.com
* Alexander <websur...@gmail.com> [2013-12-02 14:52]:
It has nothing to do with PHP (or this list, if the SP is not SSP).
-peter
> i want to grab it at the sp
> decode
> display it on the sp
I already gave you the answer.
> decode
> display it on the sp
It has nothing to do with PHP (or this list, if the SP is not SSP).
-peter
Alexander
Dec 2, 2013, 9:19:14 AM12/2/13
to simple...@googlegroups.com
Via whatever method your SP implementation offers.
thats your answer ??
is like asking Do you know what google is ?
and the answer is oh well just google it
why do you bother posting an 'answer' if you dont really have one
the IDP is SSP and im trying to integrate SSO in my app which written
in php so i thought the right to ask is the mailing of SSP
Peter Schober
Dec 2, 2013, 9:36:33 AM12/2/13
to simple...@googlegroups.com
* Alexander <websur...@gmail.com> [2013-12-02 15:19]:
SimpleSAMLphp implementation.
If you meant to say that you don't yet have a SAML SP implementation
and are looking into chosing SimpleSAMLphp then the above is not
sufficient (to me).
You can still blame me for trying to help you, in my spare time. For
free.
> the IDP is SSP and im trying to integrate SSO in my app which
> written in php so i thought the right to ask is the mailing of SSP
Depends on the question. Given the new information above it looks like
you're really asking "How do I integrate my application with
SimpleSAMLphp", which you'll find answered at
http://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
(requires prior installation and configuration of SSP at the SP).
You also asked about retrieving the SAMLResponse and access the HTTP
POST content (which is stating the method you wish to use, not asking
about the appropriate method). The answer to that is "You don't, you
use a SAML implementation that does this (and many many other things)
for you."
-peter
> Via whatever method your SP implementation offers.
>
> thats your answer ??
>
> thats your answer ??
Yes, based on what you wrote so far. You said:
* Alexander I <websur...@gmail.com> [2013-12-02 14:21]:
* Alexander I <websur...@gmail.com> [2013-12-02 14:21]:
> my sp is not using simpleSAMLphp
Which to me means you do have an SP, just that it is not the
SimpleSAMLphp implementation.
If you meant to say that you don't yet have a SAML SP implementation
and are looking into chosing SimpleSAMLphp then the above is not
sufficient (to me).
You can still blame me for trying to help you, in my spare time. For
free.
> the IDP is SSP and im trying to integrate SSO in my app which
> written in php so i thought the right to ask is the mailing of SSP
you're really asking "How do I integrate my application with
SimpleSAMLphp", which you'll find answered at
http://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
(requires prior installation and configuration of SSP at the SP).
You also asked about retrieving the SAMLResponse and access the HTTP
POST content (which is stating the method you wish to use, not asking
about the appropriate method). The answer to that is "You don't, you
use a SAML implementation that does this (and many many other things)
for you."
-peter
Alexander
Dec 2, 2013, 9:55:28 AM12/2/13
to simple...@googlegroups.com
well thats what call an answer
im not blaming you for trying to help me actually that is something i
deeply appreciate i understand how valuable time
however since you decided to help me you have agreed to do it in your
spare time for free and from my end i was expecting a meaningful
answer 'You dont' is an acceptable but saying 'well i dont know figure
it out yourself' is not even an answer
and to be honest i have the feeling that the documentation is lacking
the next steps you know after the quickstart part
for example
a real world example
how do you integrate with other libraries
and so on
although i have to say the quickstart tutorials are very thorough and
easy to understand
no hard feelings just my point of view
im not blaming you for trying to help me actually that is something i
deeply appreciate i understand how valuable time
however since you decided to help me you have agreed to do it in your
spare time for free and from my end i was expecting a meaningful
answer 'You dont' is an acceptable but saying 'well i dont know figure
it out yourself' is not even an answer
and to be honest i have the feeling that the documentation is lacking
the next steps you know after the quickstart part
for example
a real world example
how do you integrate with other libraries
and so on
although i have to say the quickstart tutorials are very thorough and
easy to understand
no hard feelings just my point of view
Peter Schober
Dec 2, 2013, 10:03:05 AM12/2/13
to simple...@googlegroups.com
* Alexander <websur...@gmail.com> [2013-12-02 15:55]:
to ask specific questions, e.g. what in the documenation is unclear.
By following all the steps in the documentation correctly you'll end
up with a working system (working in the "real world"). For many
things beyond that there are seperate documents. For everything not
covered in the docs (which is a lot) you can ask here.
-peter
> well thats what call an answer
If you still need technical answers to software problems you'll need
to ask specific questions, e.g. what in the documenation is unclear.
By following all the steps in the documentation correctly you'll end
up with a working system (working in the "real world"). For many
things beyond that there are seperate documents. For everything not
covered in the docs (which is a lot) you can ask here.
-peter
Alexander
Dec 4, 2013, 7:58:26 AM12/4/13
to simple...@googlegroups.com
update
i have installed and configured an SSP SP and im trying to get the authentication status of a user by using the API
as described in the docs
however im always getting SimpleSAML_Auth_Simple->isAuthenticated = false even after a successful login on the IDP side
my entry point is
http://idp.local.net/simplesaml/saml2/idp/SSOService.php?spentityid=http://sp.local.net
it takes me to the idp login form where i enter i authenticate againist our db and then i see a POST request from the idp back to the sp
using the SAML tracer extension i see
in the http tab
POST http://idp.local.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.1
Host:idp.local.net
...
Referer: http://idp.local.net/simplesaml/module.php/core/loginuserpass.php?
Cookie: PHPSESSID=[..];
SimpleSAMLAuthToken=_[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 14573
HTTP/?.? 303 See Other
Date: Wed, 04 Dec 2013 12:25:36 GMT
...
Set-Cookie: SimpleSAMLAuthToken=_same as SimpleSAMLAuthToken; path=/
Location:http://sp.local.net
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 403
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html
in the Parameters tab
POST
SAMLResponse: along with a long string of chars
in the SAML tab
the response in xml format containinng
<saml:AttributeStatement> nodes that hold the attributes im expecting to see
in the logs/simplesamlphp.log
Dec 04 13:14:53 simplesamlphp INFO [e35f806b8e] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Dec 04 13:14:53 simplesamlphp INFO [e35f806b8e] SAML2.0 - IdP.SSOService: IdP initiated authentication: 'http://sp.local.net'
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: Valid session found with 'my-auth-source'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: Valid session found with 'my-auth-source'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: Valid session found with 'my-auth-source'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Filter config for http://idp.local.net/simplesaml/saml2/idp/metadata.php->http://sp.local.net: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 30, )), 1 => sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' => 45, )), 2 => sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 3 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )), 4 => sspmod_core_Auth_Process_AttributeMap::__set_state(array( 'map' => array ( 'aRecord' => 'urn:oid:0.9.2342.19200300.100.1.26', 'aliasedEntryName' => 'urn:oid:2.5.4.1', 'aliasedObjectName' => 'urn:oid:2.5.4.1', 'associatedDomain' => 'urn:oid:0.9.2342.19200300.100.1.37', 'associatedName' => 'urn:oid:0.9.2342.19200300.100.1.38', 'audio' => 'urn:oid:0.9.2342.19200300.100.1.55', 'authorityRevocationList' => 'urn:oid:2.5.4.38', 'buildingName' => 'urn:oid:0.9.2342.19200300.100.1.48', 'businessCategory' => 'urn:oid:2.5.4.15', 'c' => 'urn:oid:2.5.4.6', 'cACertificate' => 'urn:oid:2.5.4.37', 'cNAMERecord' => 'urn:oid:0.9.2342.19200300.100.1.31', 'carLicense' => 'urn:oid:2.16.840.1.113730.3.1.1', 'certificateRevocationList' => 'urn:oid:2.5.4.39', 'cn' => 'urn:oid:2.5.4.3', 'co' => 'urn:oid:0.9.2342.19200300.100.1.43', 'commonName' => 'urn:oid:2.5.4.3', 'countryName' => 'urn:oid:2.5.4.6', 'crossCertificatePair' => 'urn:oid:2.5.4.40', 'dITRedirect' => 'urn:oid:0.9.2342.19200300.100.1.54', 'dSAQuality' => 'urn:oid:0.9.2342.19200300.100.1.49', 'dc' => 'urn:oid:0.9.2342.19200300.100.1.25', 'deltaRevocationList' => 'urn:oid:2.5.4.53', 'departmentNumber' => 'urn:oid:2.16.840.1.113730.3.1.2', 'description' => 'urn:oid:2.5.4.13', 'destinationIndicator' => 'urn:oid:2.5.4.27', 'displayName' => 'urn:oid:2.16.840.1.113730.3.1.241', 'distinguishedName' => 'urn:oid:2.5.4.49', 'dmdName' => 'urn:oid:2.5.4.54', 'dnQualifier' => 'urn:oid:2.5.4.46', 'documentAuthor' => 'urn:oid:0.9.2342.19200300.100.1.14', 'documentIdentifier' => 'urn:oid:0.9.2342.19200300.100.1.11', 'documentLocation' => 'urn:oid:0.9.2342.19200300.100.1.15', 'documentPublisher' => 'urn:oid:0.9.2342.19200300.100.1.56', 'documentTitle' => 'urn:oid:0.9.2342.19200300.100.1.12', 'documentVersion' => 'urn:oid:0.9.2342.19200300.100.1.13', 'domainComponent' => 'urn:oid:0.9.2342.19200300.100.1.25', 'drink' => 'urn:oid:0.9.2342.19200300.100.1.5', 'eduOrgHomePageURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.2', 'eduOrgIdentityAuthNPolicyURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.3', 'eduOrgLegalName' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.4', 'eduOrgSuperiorURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.5', 'eduOrgWhitePagesURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.6', 'eduPersonAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1', 'eduPersonEntitlement' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', 'eduPersonNickname' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2', 'eduPersonOrgDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3', 'eduPersonOrgUnitDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4', 'eduPersonPrimaryAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.5', 'eduPersonPrimaryOrgUnitDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.8', 'eduPersonPrincipalName' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'eduPersonScopedAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'eduPersonTargetedID' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'email' => 'urn:oid:1.2.840.113549.1.9.1', 'emailAddress' => 'urn:oid:1.2.840.113549.1.9.1', 'employeeNumber' => 'urn:oid:2.16.840.1.113730.3.1.3', 'employeeType' => 'urn:oid:2.16.840.1.113730.3.1.4', 'enhancedSearchGuide' => 'urn:oid:2.5.4.47', 'facsimileTelephoneNumber' => 'urn:oid:2.5.4.23', 'favouriteDrink' => 'urn:oid:0.9.2342.19200300.100.1.5', 'fax' => 'urn:oid:2.5.4.23', 'federationFeideSchemaVersion' => 'urn:oid:1.3.6.1.4.1.2428.90.1.9', 'friendlyCountryName' => 'urn:oid:0.9.2342.19200300.100.1.43', 'generationQualifier' => 'urn:oid:2.5.4.44', 'givenName' => 'urn:oid:2.5.4.42', 'gn' => 'urn:oid:2.5.4.42', 'homePhone' => 'urn:oid:0.9.2342.19200300.100.1.20', 'homePostalAddress' => 'urn:oid:0.9.2342.19200300.100.1.39', 'homeTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.20', 'host' => 'urn:oid:0.9.2342.19200300.100.1.9', 'houseIdentifier' => 'urn:oid:2.5.4.51', 'info' => 'urn:oid:0.9.2342.19200300.100.1.4', 'initials' => 'urn:oid:2.5.4.43', 'internationaliSDNNumber' => 'urn:oid:2.5.4.25', 'isMemberOf' => 'urn:oid:1.3.6.1.4.1.5923.1.5.1.1', 'janetMailbox' => 'urn:oid:0.9.2342.19200300.100.1.46', 'jpegPhoto' => 'urn:oid:0.9.2342.19200300.100.1.60', 'knowledgeInformation' => 'urn:oid:2.5.4.2', 'l' => 'urn:oid:2.5.4.7', 'labeledURI' => 'urn:oid:1.3.6.1.4.1.250.1.57', 'localityName' => 'urn:oid:2.5.4.7', 'mDRecord' => 'urn:oid:0.9.2342.19200300.100.1.27', 'mXRecord' => 'urn:oid:0.9.2342.19200300.100.1.28', 'mail' => 'urn:oid:0.9.2342.19200300.100.1.3', 'mailPreferenceOption' => 'urn:oid:0.9.2342.19200300.100.1.47', 'manager' => 'urn:oid:0.9.2342.19200300.100.1.10', 'member' => 'urn:oid:2.5.4.31', 'mobile' => 'urn:oid:0.9.2342.19200300.100.1.41', 'mobileTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.41', 'nSRecord' => 'urn:oid:0.9.2342.19200300.100.1.29', 'name' => 'urn:oid:2.5.4.41', 'norEduOrgAcronym' => 'urn:oid:1.3.6.1.4.1.2428.90.1.6', 'norEduOrgNIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.12', 'norEduOrgSchemaVersion' => 'urn:oid:1.3.6.1.4.1.2428.90.1.11', 'norEduOrgUniqueIdentifier' => 'urn:oid:1.3.6.1.4.1.2428.90.1.7', 'norEduOrgUniqueNumber' => 'urn:oid:1.3.6.1.4.1.2428.90.1.1', 'norEduOrgUnitUniqueIdentifier' => 'urn:oid:1.3.6.1.4.1.2428.90.1.8', 'norEduOrgUnitUniqueNumber' => 'urn:oid:1.3.6.1.4.1.2428.90.1.2', 'norEduPersonBirthDate' => 'urn:oid:1.3.6.1.4.1.2428.90.1.3', 'norEduPersonLIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.4', 'norEduPersonNIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.5', 'o' => 'urn:oid:2.5.4.10', 'objectClass' => 'urn:oid:2.5.4.0', 'organizationName' => 'urn:oid:2.5.4.10', 'organizationalStatus' => 'urn:oid:0.9.2342.19200300.100.1.45', 'organizationalUnitName' => 'urn:oid:2.5.4.11', 'otherMailbox' => 'urn:oid:0.9.2342.19200300.100.1.22', 'ou' => 'urn:oid:2.5.4.11', 'owner' => 'urn:oid:2.5.4.32', 'pager' => 'urn:oid:0.9.2342.19200300.100.1.42', 'pagerTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.42', 'personalSignature' => 'urn:oid:0.9.2342.19200300.100.1.53', 'personalTitle' => 'urn:oid:0.9.2342.19200300.100.1.40', 'photo' => 'urn:oid:0.9.2342.19200300.100.1.7', 'physicalDeliveryOfficeName' => 'urn:oid:2.5.4.19', 'pkcs9email' => 'urn:oid:1.2.840.113549.1.9.1', 'postOfficeBox' => 'urn:oid:2.5.4.18', 'postalAddress' => 'urn:oid:2.5.4.16', 'postalCode' => 'urn:oid:2.5.4.17', 'preferredDeliveryMethod' => 'urn:oid:2.5.4.28', 'preferredLanguage' => 'urn:oid:2.16.840.1.113730.3.1.39', 'presentationAddress' => 'urn:oid:2.5.4.29', 'protocolInformation' => 'urn:oid:2.5.4.48', 'pseudonym' => 'urn:oid:2.5.4.65', 'registeredAddress' => 'urn:oid:2.5.4.26', 'rfc822Mailbox' => 'urn:oid:0.9.2342.19200300.100.1.3', 'roleOccupant' => 'urn:oid:2.5.4.33', 'roomNumber' => 'urn:oid:0.9.2342.19200300.100.1.6', 'sOARecord' => 'urn:oid:0.9.2342.19200300.100.1.30', 'searchGuide' => 'urn:oid:2.5.4.14', 'secretary' => 'urn:oid:0.9.2342.19200300.100.1.21', 'seeAlso' => 'urn:oid:2.5.4.34', 'serialNumber' => 'urn:oid:2.5.4.5', 'singleLevelQuality' => 'urn:oid:0.9.2342.19200300.100.1.50', 'sn' => 'urn:oid:2.5.4.4', 'st' => 'urn:oid:2.5.4.8', 'stateOrProvinceName' => 'urn:oid:2.5.4.8', 'street' => 'urn:oid:2.5.4.9', 'streetAddress' => 'urn:oid:2.5.4.9', 'subtreeMaximumQuality' => 'urn:oid:0.9.2342.19200300.100.1.52', 'subtreeMinimumQuality' => 'urn:oid:0.9.2342.19200300.100.1.51', 'supportedAlgorithms' => 'urn:oid:2.5.4.52', 'supportedApplicationContext' => 'urn:oid:2.5.4.30', 'surname' => 'urn:oid:2.5.4.4', 'telephoneNumber' => 'urn:oid:2.5.4.20', 'teletexTerminalIdentifier' => 'urn:oid:2.5.4.22', 'telexNumber' => 'urn:oid:2.5.4.21', 'textEncodedORAddress' => 'urn:oid:0.9.2342.19200300.100.1.2', 'title' => 'urn:oid:2.5.4.12', 'uid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'uniqueIdentifier' => 'urn:oid:0.9.2342.19200300.100.1.44', 'uniqueMember' => 'urn:oid:2.5.4.50', 'userCertificate' => 'urn:oid:2.5.4.36', 'userClass' => 'urn:oid:0.9.2342.19200300.100.1.8', 'userPKCS12' => 'urn:oid:2.16.840.1.113730.3.1.216', 'userPassword' => 'urn:oid:2.5.4.35', 'userSMIMECertificate' => 'urn:oid:2.16.840.1.113730.3.1.40', 'userid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'x121Address' => 'urn:oid:2.5.4.24', 'x500UniqueIdentifier' => 'urn:oid:2.5.4.45', 'schacHomeOrganization' => 'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'schacPersonalUniqueCode' => 'urn:oid:1.3.6.1.4.1.25178.1.2.14', ), 'duplicate' => false, 'priority' => 100, )),)
Dec 04 13:14:53 simplesamlphp NOTICE STAT [e35f806b8e] saml20-idp-SSO http://sp.local.net http://idp.local.net/simplesaml/saml2/idp/metadata.php NA
Dec 04 13:14:53 simplesamlphp INFO [e35f806b8e] Sending SAML 2.0 Response to 'http://sp.local.net'
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Sending message:
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] <samlp:Response>
...xml response is here
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] </samlp:Response>
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Received message:
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_833c654014a1b965e1fe98dc95bec5b6ac4a8fec22" Version="2.0" IssueInstant="2013-12-04T12:14:53Z" Destination="http://idp.local.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp">
...xml response is here
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] </samlp:Response>
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Received SAML2 Response from 'http://idp.local.net/simplesaml/saml2/idp/metadata.php'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Has 1 candidate keys for validation.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Validation with key #0 succeeded.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Has 1 candidate keys for validation.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Validation with key #0 succeeded.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Filter config for http://idp.local.net/simplesaml/saml2/idp/metadata.php->http://sp.local.net: array ( 0 => sspmod_core_Auth_Process_GenerateGroups::__set_state(array( 'generateGroupsFrom' => array ( 0 => 'eduPersonAffiliation', ), 'priority' => 60, )), 1 => sspmod_core_Auth_Process_AttributeAdd::__set_state(array( 'replace' => false, 'attributes' => array ( 'groups' => array ( 0 => 'users', 1 => 'members', ), ), 'priority' => 61, )), 2 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] GenerateGroups - attribute 'eduPersonAffiliation' not found.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: doLogin("default-sp")
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: doLogout('default-sp')
this definitely looks weird why is Session:doLogout called right after doLogini have installed and configured an SSP SP and im trying to get the authentication status of a user by using the API
as described in the docs
however im always getting SimpleSAML_Auth_Simple->isAuthenticated = false even after a successful login on the IDP side
my entry point is
http://idp.local.net/simplesaml/saml2/idp/SSOService.php?spentityid=http://sp.local.net
it takes me to the idp login form where i enter i authenticate againist our db and then i see a POST request from the idp back to the sp
using the SAML tracer extension i see
in the http tab
POST http://idp.local.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.1
Host:idp.local.net
...
Referer: http://idp.local.net/simplesaml/module.php/core/loginuserpass.php?
Cookie: PHPSESSID=[..];
SimpleSAMLAuthToken=_[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 14573
HTTP/?.? 303 See Other
Date: Wed, 04 Dec 2013 12:25:36 GMT
...
Set-Cookie: SimpleSAMLAuthToken=_same as SimpleSAMLAuthToken; path=/
Location:http://sp.local.net
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 403
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html
in the Parameters tab
POST
SAMLResponse: along with a long string of chars
in the SAML tab
the response in xml format containinng
<saml:AttributeStatement> nodes that hold the attributes im expecting to see
in the logs/simplesamlphp.log
Dec 04 13:14:53 simplesamlphp INFO [e35f806b8e] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
Dec 04 13:14:53 simplesamlphp INFO [e35f806b8e] SAML2.0 - IdP.SSOService: IdP initiated authentication: 'http://sp.local.net'
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: Valid session found with 'my-auth-source'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: Valid session found with 'my-auth-source'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: Valid session found with 'my-auth-source'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Filter config for http://idp.local.net/simplesaml/saml2/idp/metadata.php->http://sp.local.net: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 30, )), 1 => sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' => 45, )), 2 => sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 3 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )), 4 => sspmod_core_Auth_Process_AttributeMap::__set_state(array( 'map' => array ( 'aRecord' => 'urn:oid:0.9.2342.19200300.100.1.26', 'aliasedEntryName' => 'urn:oid:2.5.4.1', 'aliasedObjectName' => 'urn:oid:2.5.4.1', 'associatedDomain' => 'urn:oid:0.9.2342.19200300.100.1.37', 'associatedName' => 'urn:oid:0.9.2342.19200300.100.1.38', 'audio' => 'urn:oid:0.9.2342.19200300.100.1.55', 'authorityRevocationList' => 'urn:oid:2.5.4.38', 'buildingName' => 'urn:oid:0.9.2342.19200300.100.1.48', 'businessCategory' => 'urn:oid:2.5.4.15', 'c' => 'urn:oid:2.5.4.6', 'cACertificate' => 'urn:oid:2.5.4.37', 'cNAMERecord' => 'urn:oid:0.9.2342.19200300.100.1.31', 'carLicense' => 'urn:oid:2.16.840.1.113730.3.1.1', 'certificateRevocationList' => 'urn:oid:2.5.4.39', 'cn' => 'urn:oid:2.5.4.3', 'co' => 'urn:oid:0.9.2342.19200300.100.1.43', 'commonName' => 'urn:oid:2.5.4.3', 'countryName' => 'urn:oid:2.5.4.6', 'crossCertificatePair' => 'urn:oid:2.5.4.40', 'dITRedirect' => 'urn:oid:0.9.2342.19200300.100.1.54', 'dSAQuality' => 'urn:oid:0.9.2342.19200300.100.1.49', 'dc' => 'urn:oid:0.9.2342.19200300.100.1.25', 'deltaRevocationList' => 'urn:oid:2.5.4.53', 'departmentNumber' => 'urn:oid:2.16.840.1.113730.3.1.2', 'description' => 'urn:oid:2.5.4.13', 'destinationIndicator' => 'urn:oid:2.5.4.27', 'displayName' => 'urn:oid:2.16.840.1.113730.3.1.241', 'distinguishedName' => 'urn:oid:2.5.4.49', 'dmdName' => 'urn:oid:2.5.4.54', 'dnQualifier' => 'urn:oid:2.5.4.46', 'documentAuthor' => 'urn:oid:0.9.2342.19200300.100.1.14', 'documentIdentifier' => 'urn:oid:0.9.2342.19200300.100.1.11', 'documentLocation' => 'urn:oid:0.9.2342.19200300.100.1.15', 'documentPublisher' => 'urn:oid:0.9.2342.19200300.100.1.56', 'documentTitle' => 'urn:oid:0.9.2342.19200300.100.1.12', 'documentVersion' => 'urn:oid:0.9.2342.19200300.100.1.13', 'domainComponent' => 'urn:oid:0.9.2342.19200300.100.1.25', 'drink' => 'urn:oid:0.9.2342.19200300.100.1.5', 'eduOrgHomePageURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.2', 'eduOrgIdentityAuthNPolicyURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.3', 'eduOrgLegalName' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.4', 'eduOrgSuperiorURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.5', 'eduOrgWhitePagesURI' => 'urn:oid:1.3.6.1.4.1.5923.1.2.1.6', 'eduPersonAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1', 'eduPersonEntitlement' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', 'eduPersonNickname' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2', 'eduPersonOrgDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3', 'eduPersonOrgUnitDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4', 'eduPersonPrimaryAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.5', 'eduPersonPrimaryOrgUnitDN' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.8', 'eduPersonPrincipalName' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'eduPersonScopedAffiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'eduPersonTargetedID' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'email' => 'urn:oid:1.2.840.113549.1.9.1', 'emailAddress' => 'urn:oid:1.2.840.113549.1.9.1', 'employeeNumber' => 'urn:oid:2.16.840.1.113730.3.1.3', 'employeeType' => 'urn:oid:2.16.840.1.113730.3.1.4', 'enhancedSearchGuide' => 'urn:oid:2.5.4.47', 'facsimileTelephoneNumber' => 'urn:oid:2.5.4.23', 'favouriteDrink' => 'urn:oid:0.9.2342.19200300.100.1.5', 'fax' => 'urn:oid:2.5.4.23', 'federationFeideSchemaVersion' => 'urn:oid:1.3.6.1.4.1.2428.90.1.9', 'friendlyCountryName' => 'urn:oid:0.9.2342.19200300.100.1.43', 'generationQualifier' => 'urn:oid:2.5.4.44', 'givenName' => 'urn:oid:2.5.4.42', 'gn' => 'urn:oid:2.5.4.42', 'homePhone' => 'urn:oid:0.9.2342.19200300.100.1.20', 'homePostalAddress' => 'urn:oid:0.9.2342.19200300.100.1.39', 'homeTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.20', 'host' => 'urn:oid:0.9.2342.19200300.100.1.9', 'houseIdentifier' => 'urn:oid:2.5.4.51', 'info' => 'urn:oid:0.9.2342.19200300.100.1.4', 'initials' => 'urn:oid:2.5.4.43', 'internationaliSDNNumber' => 'urn:oid:2.5.4.25', 'isMemberOf' => 'urn:oid:1.3.6.1.4.1.5923.1.5.1.1', 'janetMailbox' => 'urn:oid:0.9.2342.19200300.100.1.46', 'jpegPhoto' => 'urn:oid:0.9.2342.19200300.100.1.60', 'knowledgeInformation' => 'urn:oid:2.5.4.2', 'l' => 'urn:oid:2.5.4.7', 'labeledURI' => 'urn:oid:1.3.6.1.4.1.250.1.57', 'localityName' => 'urn:oid:2.5.4.7', 'mDRecord' => 'urn:oid:0.9.2342.19200300.100.1.27', 'mXRecord' => 'urn:oid:0.9.2342.19200300.100.1.28', 'mail' => 'urn:oid:0.9.2342.19200300.100.1.3', 'mailPreferenceOption' => 'urn:oid:0.9.2342.19200300.100.1.47', 'manager' => 'urn:oid:0.9.2342.19200300.100.1.10', 'member' => 'urn:oid:2.5.4.31', 'mobile' => 'urn:oid:0.9.2342.19200300.100.1.41', 'mobileTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.41', 'nSRecord' => 'urn:oid:0.9.2342.19200300.100.1.29', 'name' => 'urn:oid:2.5.4.41', 'norEduOrgAcronym' => 'urn:oid:1.3.6.1.4.1.2428.90.1.6', 'norEduOrgNIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.12', 'norEduOrgSchemaVersion' => 'urn:oid:1.3.6.1.4.1.2428.90.1.11', 'norEduOrgUniqueIdentifier' => 'urn:oid:1.3.6.1.4.1.2428.90.1.7', 'norEduOrgUniqueNumber' => 'urn:oid:1.3.6.1.4.1.2428.90.1.1', 'norEduOrgUnitUniqueIdentifier' => 'urn:oid:1.3.6.1.4.1.2428.90.1.8', 'norEduOrgUnitUniqueNumber' => 'urn:oid:1.3.6.1.4.1.2428.90.1.2', 'norEduPersonBirthDate' => 'urn:oid:1.3.6.1.4.1.2428.90.1.3', 'norEduPersonLIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.4', 'norEduPersonNIN' => 'urn:oid:1.3.6.1.4.1.2428.90.1.5', 'o' => 'urn:oid:2.5.4.10', 'objectClass' => 'urn:oid:2.5.4.0', 'organizationName' => 'urn:oid:2.5.4.10', 'organizationalStatus' => 'urn:oid:0.9.2342.19200300.100.1.45', 'organizationalUnitName' => 'urn:oid:2.5.4.11', 'otherMailbox' => 'urn:oid:0.9.2342.19200300.100.1.22', 'ou' => 'urn:oid:2.5.4.11', 'owner' => 'urn:oid:2.5.4.32', 'pager' => 'urn:oid:0.9.2342.19200300.100.1.42', 'pagerTelephoneNumber' => 'urn:oid:0.9.2342.19200300.100.1.42', 'personalSignature' => 'urn:oid:0.9.2342.19200300.100.1.53', 'personalTitle' => 'urn:oid:0.9.2342.19200300.100.1.40', 'photo' => 'urn:oid:0.9.2342.19200300.100.1.7', 'physicalDeliveryOfficeName' => 'urn:oid:2.5.4.19', 'pkcs9email' => 'urn:oid:1.2.840.113549.1.9.1', 'postOfficeBox' => 'urn:oid:2.5.4.18', 'postalAddress' => 'urn:oid:2.5.4.16', 'postalCode' => 'urn:oid:2.5.4.17', 'preferredDeliveryMethod' => 'urn:oid:2.5.4.28', 'preferredLanguage' => 'urn:oid:2.16.840.1.113730.3.1.39', 'presentationAddress' => 'urn:oid:2.5.4.29', 'protocolInformation' => 'urn:oid:2.5.4.48', 'pseudonym' => 'urn:oid:2.5.4.65', 'registeredAddress' => 'urn:oid:2.5.4.26', 'rfc822Mailbox' => 'urn:oid:0.9.2342.19200300.100.1.3', 'roleOccupant' => 'urn:oid:2.5.4.33', 'roomNumber' => 'urn:oid:0.9.2342.19200300.100.1.6', 'sOARecord' => 'urn:oid:0.9.2342.19200300.100.1.30', 'searchGuide' => 'urn:oid:2.5.4.14', 'secretary' => 'urn:oid:0.9.2342.19200300.100.1.21', 'seeAlso' => 'urn:oid:2.5.4.34', 'serialNumber' => 'urn:oid:2.5.4.5', 'singleLevelQuality' => 'urn:oid:0.9.2342.19200300.100.1.50', 'sn' => 'urn:oid:2.5.4.4', 'st' => 'urn:oid:2.5.4.8', 'stateOrProvinceName' => 'urn:oid:2.5.4.8', 'street' => 'urn:oid:2.5.4.9', 'streetAddress' => 'urn:oid:2.5.4.9', 'subtreeMaximumQuality' => 'urn:oid:0.9.2342.19200300.100.1.52', 'subtreeMinimumQuality' => 'urn:oid:0.9.2342.19200300.100.1.51', 'supportedAlgorithms' => 'urn:oid:2.5.4.52', 'supportedApplicationContext' => 'urn:oid:2.5.4.30', 'surname' => 'urn:oid:2.5.4.4', 'telephoneNumber' => 'urn:oid:2.5.4.20', 'teletexTerminalIdentifier' => 'urn:oid:2.5.4.22', 'telexNumber' => 'urn:oid:2.5.4.21', 'textEncodedORAddress' => 'urn:oid:0.9.2342.19200300.100.1.2', 'title' => 'urn:oid:2.5.4.12', 'uid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'uniqueIdentifier' => 'urn:oid:0.9.2342.19200300.100.1.44', 'uniqueMember' => 'urn:oid:2.5.4.50', 'userCertificate' => 'urn:oid:2.5.4.36', 'userClass' => 'urn:oid:0.9.2342.19200300.100.1.8', 'userPKCS12' => 'urn:oid:2.16.840.1.113730.3.1.216', 'userPassword' => 'urn:oid:2.5.4.35', 'userSMIMECertificate' => 'urn:oid:2.16.840.1.113730.3.1.40', 'userid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'x121Address' => 'urn:oid:2.5.4.24', 'x500UniqueIdentifier' => 'urn:oid:2.5.4.45', 'schacHomeOrganization' => 'urn:oid:1.3.6.1.4.1.25178.1.2.9', 'schacPersonalUniqueCode' => 'urn:oid:1.3.6.1.4.1.25178.1.2.14', ), 'duplicate' => false, 'priority' => 100, )),)
Dec 04 13:14:53 simplesamlphp NOTICE STAT [e35f806b8e] saml20-idp-SSO http://sp.local.net http://idp.local.net/simplesaml/saml2/idp/metadata.php NA
Dec 04 13:14:53 simplesamlphp INFO [e35f806b8e] Sending SAML 2.0 Response to 'http://sp.local.net'
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Sending message:
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] <samlp:Response>
...xml response is here
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] </samlp:Response>
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Received message:
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_833c654014a1b965e1fe98dc95bec5b6ac4a8fec22" Version="2.0" IssueInstant="2013-12-04T12:14:53Z" Destination="http://idp.local.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp">
...xml response is here
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] </samlp:Response>
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Received SAML2 Response from 'http://idp.local.net/simplesaml/saml2/idp/metadata.php'.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Has 1 candidate keys for validation.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Validation with key #0 succeeded.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Has 1 candidate keys for validation.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Validation with key #0 succeeded.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Filter config for http://idp.local.net/simplesaml/saml2/idp/metadata.php->http://sp.local.net: array ( 0 => sspmod_core_Auth_Process_GenerateGroups::__set_state(array( 'generateGroupsFrom' => array ( 0 => 'eduPersonAffiliation', ), 'priority' => 60, )), 1 => sspmod_core_Auth_Process_AttributeAdd::__set_state(array( 'replace' => false, 'attributes' => array ( 'groups' => array ( 0 => 'users', 1 => 'members', ), ), 'priority' => 61, )), 2 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] GenerateGroups - attribute 'eduPersonAffiliation' not found.
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: doLogin("default-sp")
Dec 04 13:14:53 simplesamlphp DEBUG [e35f806b8e] Session: doLogout('default-sp')
any thoughts ??
let me know if you need more info unfortunately direct access is not possible to the resources
alex
alex
On 2 December 2013 16:03, Peter Schober <peter....@univie.ac.at> wrote:
-peter
Reply all
Reply to author
Forward
0 new messages