Configuring IdP for Lenovo Universal Workspace
15 views
Skip to first unread message
Konstantin Boyandin
Aug 31, 2020, 9:01:59 AM8/31/20
to SimpleSAMLphp
Hello,
Still trying to configure Lenovo Universal Workspace (LUW) as IdP.
From their knowledge base entry, the parameters they expect:
Then on the Authentication Tab for the webapplication object we have:
Type : SAML
Identity : Identity Provider
Assertion Consumer (This is provided by your vendor) : https://url-from.3rdpartyexample-cloud.com/login.saml
Target Resource (This is provided by your vendor) : https://somename.3rdpartyexample-cloud.com/sso.do
Issuer (Vendor may tell you to put a specific string here) : somename
Audience ( Vendor will provide this url) : https://url-from.3rdpartyexample-cloud.com/
PFX Certificate : Use the wizard to generate the certificate
Private Key : Filled in when you do the wizard for the PFX Certificate
Certificate : Click the wizard and fill in the information to generate the certificate.
What should be offered for the mentioned URLs:
- assertion consumer
- target resource
- audience
?
Whatever we do, LUW still tries to redirect to our metadata URL, generating SimpleSAMLphp error about wrong audience.
I would appreciate any hints.
Thanks!
pra...@gmail.com
Aug 31, 2020, 2:21:08 PM8/31/20
to SimpleSAMLphp
assertion consumer= The url from the AssertionConsumerService element in your SP metadata. For SSP it's usually of the form https://HOSTNAME/module.php/saml/sp/saml2-acs.php/AUTHSOURCE_NAME
audience = Your SP entity ID
target resource = This is probably what they will send for relay state for IdP initiated login. This is would be where you want the user to end up after they have authenticated.
- Patrick
Konstantin Boyandin
Aug 31, 2020, 7:46:29 PM8/31/20
to SimpleSAMLphp
Thanks. So the assertion consumer is correct, as well as target resource.
But what is the audience? In the metadata/saml20-idp-remote.php I have a corresponding entry starting like
$metadata['https://signon.example.org/swPublicSSO/SAML/OurSP'] = array (
'entityid' => 'https://signon.example.org/swPublicSSO/SAML/OurSP',
Is
But what is the audience? In the metadata/saml20-idp-remote.php I have a corresponding entry starting like
$metadata['https://signon.example.org/swPublicSSO/SAML/OurSP'] = array (
'entityid' => 'https://signon.example.org/swPublicSSO/SAML/OurSP',
Is
the proper value for the audience?
Thanks.
Sincerely,
Konstantin
Thanks.
Sincerely,
Konstantin
Peter Schober
Sep 1, 2020, 6:35:56 AM9/1/20
to SimpleSAMLphp
* 'Konstantin Boyandin' via SimpleSAMLphp <simple...@googlegroups.com> [2020-09-01 01:46]:
> In the metadata/saml20-idp-remote.php I have a corresponding entry
> starting like
>
> $metadata['https://signon.example.org/swPublicSSO/SAML/OurSP'] = array (
> 'entityid' => 'https://signon.example.org/swPublicSSO/SAML/OurSP',
The key of the $metadata array already is the entityID, AFAIK, so the
second line is redundant, I think.
SAML Core[1] defines the term. It should be the entityID of the SAML
relying party recieving a SAML protocol message.
So no, in this case, where you're asked for the "audience" value by
the (remote, in SSP's terms) IDP it should be your SimpleSAMLphp SAML
SP's entityID, the one you're trying to hook up to that IDP.
-peter
[1] https://wiki.oasis-open.org/security/
> But what is the audience?
Patrick already told you.
> In the metadata/saml20-idp-remote.php I have a corresponding entry
> starting like
>
> $metadata['https://signon.example.org/swPublicSSO/SAML/OurSP'] = array (
> 'entityid' => 'https://signon.example.org/swPublicSSO/SAML/OurSP',
second line is redundant, I think.
SAML Core[1] defines the term. It should be the entityID of the SAML
relying party recieving a SAML protocol message.
So no, in this case, where you're asked for the "audience" value by
the (remote, in SSP's terms) IDP it should be your SimpleSAMLphp SAML
SP's entityID, the one you're trying to hook up to that IDP.
-peter
[1] https://wiki.oasis-open.org/security/
Konstantin Boyandin
Sep 1, 2020, 6:52:26 AM9/1/20
to SimpleSAMLphp
Thanks, Peter. So the audience, in this case, is the SP's entityID from IdP's perspective (as defined in remote IdP configuration), not from "my" part (SimpleSAMLphp installation).
Sincerely,
Konstantin
Konstantin
Peter Schober
Sep 1, 2020, 7:12:36 AM9/1/20
to SimpleSAMLphp
* 'Konstantin Boyandin' via SimpleSAMLphp <simple...@googlegroups.com> [2020-09-01 12:57]:
(i.e., it's entityID) it issues the SAML assertion to, yes.
(My phrasing was needlessly vague before, I think there's no other use
of 'Audience' and 'AudienceRestriction' in SAML.)
Your SP's entityID is what it is (what you set it to or what the
software autogenerates if you did not set it) and does not depend on
anyone's perspective. (You are what you are no matter who's asking.)
And your SP's entityID is not "defined in remote IdP configuration",
it's defined in your SP's saml:SP authsource.
HTH,
-peter
> Thanks, Peter. So the audience, in this case, is the SP's entityID from
> IdP's perspective (as defined in remote IdP configuration), not from "my"
> part (SimpleSAMLphp installation).
The Audience value the IDP puts into the SAML Assertion will be the SP
> IdP's perspective (as defined in remote IdP configuration), not from "my"
> part (SimpleSAMLphp installation).
(i.e., it's entityID) it issues the SAML assertion to, yes.
(My phrasing was needlessly vague before, I think there's no other use
of 'Audience' and 'AudienceRestriction' in SAML.)
Your SP's entityID is what it is (what you set it to or what the
software autogenerates if you did not set it) and does not depend on
anyone's perspective. (You are what you are no matter who's asking.)
And your SP's entityID is not "defined in remote IdP configuration",
it's defined in your SP's saml:SP authsource.
HTH,
-peter
Konstantin Boyandin
Sep 1, 2020, 7:23:43 AM9/1/20
to SimpleSAMLphp
In authsources.php the 'entityID' is set to null, by default. According to the docs,
"If this option is unset, a default entity ID will be generated.
The generated entity ID will be a URL where the metadata of this SP can be downloaded."
Sincerely,
Konstantin
Peter Schober
Sep 1, 2020, 8:15:15 AM9/1/20
to SimpleSAMLphp
* 'Konstantin Boyandin' via SimpleSAMLphp <simple...@googlegroups.com> [2020-09-01 13:48]:
just what the autogenerated value is, IMO, esp those (such as
yourself) who can read comments and even the documentation.
The SSP developers made the choice to have the software autogenerate
its own instance name(s) so that deployers don't have to be bothered
with setting unique names.
To the extent that this prevents people from even realising that every
SAML entity (IDP or SP) needs -- and necessarily has -- a globally
unique name this was a mistake, IMO.
An entityID is a (globally unique) name for a SAML entity. So just set
the entityID parameter of your saml:SP authsource to a URL of your
own choosing, e.g. https://your.example.org/saml/sp
(It does not have to resolve to anything, but it should be in a domain
you control, for sanity, e.g. the hostname where people access your
service + '/saml' at the end, done.)
For things to consider when setting that name/value see
https://wiki.shibboleth.net/confluence/display/concept/EntityNaming
though for a bilateral arrangement that may be overkill.
Once you have the name of your own system you also know what this
stupid[1] IDP implementation seemingly expects you to enter for
"Audience".
-peter
[1] None of what the IDP asks of you should be necessary -- that's
what SAML 2.0 Metadata was created for: A machine- (and human-, XML is
just text, after all) readable *standardised* representation of the
specifics of SAML entities (their names, keys, endpoints, etc.).
Simply feeding your partner the SAML Metadata of your system should
enable it to automatically configuire itself for your SP, without
bothering you to manually fill out forms asking for arcane (and
unknown to you) protocol details such as Assertion Consumer Service
URL, target, Issuer, Audience, etc.
> "If this option is unset, a default entity ID will be generated. The
> generated entity ID will be a URL where the metadata of this SP can be
> downloaded."
> So the audience parameter is, in such a case, the URL that can be used to
> download metadata, i.e.
>
> https://DOMAIN/simplesaml/module.php/saml/sp/metadata.php/AUTHSOURCEKEY
People shouldn't need to rely on autogenerated values and then guess
> generated entity ID will be a URL where the metadata of this SP can be
> downloaded."
> So the audience parameter is, in such a case, the URL that can be used to
> download metadata, i.e.
>
> https://DOMAIN/simplesaml/module.php/saml/sp/metadata.php/AUTHSOURCEKEY
just what the autogenerated value is, IMO, esp those (such as
yourself) who can read comments and even the documentation.
The SSP developers made the choice to have the software autogenerate
its own instance name(s) so that deployers don't have to be bothered
with setting unique names.
To the extent that this prevents people from even realising that every
SAML entity (IDP or SP) needs -- and necessarily has -- a globally
unique name this was a mistake, IMO.
An entityID is a (globally unique) name for a SAML entity. So just set
the entityID parameter of your saml:SP authsource to a URL of your
own choosing, e.g. https://your.example.org/saml/sp
(It does not have to resolve to anything, but it should be in a domain
you control, for sanity, e.g. the hostname where people access your
service + '/saml' at the end, done.)
For things to consider when setting that name/value see
https://wiki.shibboleth.net/confluence/display/concept/EntityNaming
though for a bilateral arrangement that may be overkill.
Once you have the name of your own system you also know what this
stupid[1] IDP implementation seemingly expects you to enter for
"Audience".
-peter
[1] None of what the IDP asks of you should be necessary -- that's
what SAML 2.0 Metadata was created for: A machine- (and human-, XML is
just text, after all) readable *standardised* representation of the
specifics of SAML entities (their names, keys, endpoints, etc.).
Simply feeding your partner the SAML Metadata of your system should
enable it to automatically configuire itself for your SP, without
bothering you to manually fill out forms asking for arcane (and
unknown to you) protocol details such as Assertion Consumer Service
URL, target, Issuer, Audience, etc.
Reply all
Reply to author
Forward
0 new messages