SimpleSAMLphp and assertion decryption
867 views
Skip to first unread message
jacob
Sep 26, 2013, 8:33:39 PM9/26/13
to simple...@googlegroups.com
Hi, I've been having some trouble configuring SAML and simpleSAMLphp to work as a very bare-bones single-sign-on service (for a Moodle site). I wish I could pinpoint the trouble I'm having down to a single question, but honestly it's really been one problem after another, with each solution just generating more problems.
With that in mind, has anybody come across any simple, easy-to follow instructions on any of the following?
With that in mind, has anybody come across any simple, easy-to follow instructions on any of the following?
- Installing and configuring simpleSAMLphp on a server
- Encrypting/Decrypting SAML assertions
- SAML / Moodle integration (yes, I know there are plugins, but none seem to work properly for me -- errors upon errors)
Honestly, if I could find an easily implementable way of decrypting a SAML assertion, I would be essentially good to go here, but I've been trying to figure out SimpleSAML and some Moodle plugins to accomplish this, and nothing goes smoothly (or even close to it).
Again, I know I'm being vague, and apologize, but I'm out of ideas, and out of time. If anybody has any expert knowledge or handy resources to share regarding this, I would be extremely grateful.
Thanks much,
-- Jacob
Peter Schober
Sep 27, 2013, 6:56:55 AM9/27/13
to simple...@googlegroups.com
* jacob <ja...@vtrainingroom.com> [2013-09-27 09:17]:
http://simplesamlphp.org/docs/stable/simplesamlphp-install
> - Encrypting/Decrypting SAML assertions
Requires no extra work on your side, the software handles all that
automagically (otherwise there would be no point in using it, would
there?).
> - SAML / Moodle integration (yes, I know there are plugins, but
forum they prefer (some Moodle list, possibly).
> Honestly, if I could find an easily implementable way of decrypting
> a SAML assertion, I would be essentially good to go here, but I've
> been trying to figure out SimpleSAML and some Moodle plugins to
> accomplish this, and nothing goes smoothly (or even close to it).
There is nothing to do about decryption or SAML or anything. That's
what SSP does for you.
> Again, I know I'm being vague, and apologize, but I'm out of ideas,
> and out of time.
No problem, we'll just spend ours then so you don't have to. For free.
-peter
> Hi, I've been having some trouble configuring SAML and simpleSAMLphp to
> work as a very bare-bones single-sign-on service (for a Moodle site). I
> wish I could pinpoint the trouble I'm having down to a single question, but
> honestly it's really been one problem after another, with each solution
> just generating more problems.
>
> With that in mind, has anybody come across any simple, easy-to follow
> instructions on any of the following?
>
> - Installing and configuring simpleSAMLphp on a server
> work as a very bare-bones single-sign-on service (for a Moodle site). I
> wish I could pinpoint the trouble I'm having down to a single question, but
> honestly it's really been one problem after another, with each solution
> just generating more problems.
>
> With that in mind, has anybody come across any simple, easy-to follow
> instructions on any of the following?
>
http://simplesamlphp.org/docs/stable/simplesamlphp-install
> - Encrypting/Decrypting SAML assertions
Requires no extra work on your side, the software handles all that
automagically (otherwise there would be no point in using it, would
there?).
> - SAML / Moodle integration (yes, I know there are plugins, but
> none seem to work properly for me -- errors upon errors)
You'd need the author of each plugin about problems, via whatever
forum they prefer (some Moodle list, possibly).
> Honestly, if I could find an easily implementable way of decrypting
> a SAML assertion, I would be essentially good to go here, but I've
> been trying to figure out SimpleSAML and some Moodle plugins to
> accomplish this, and nothing goes smoothly (or even close to it).
what SSP does for you.
> Again, I know I'm being vague, and apologize, but I'm out of ideas,
> and out of time.
-peter
Peter Schober
Sep 27, 2013, 7:03:37 AM9/27/13
to simple...@googlegroups.com
* Peter Schober <peter....@univie.ac.at> [2013-09-27 12:57]:
installs, one configured as an IdP (see the docs), one (protecting
Moodle) set up as an SP.
http://simplesamlphp.org/docs/stable/simplesamlphp-idp
http://simplesamlphp.org/docs/stable/simplesamlphp-sp
If you're using an existing IdP (run elsewhere) you only need the
latter.
I would try to get that running and integrated so that logins to the
SP work, using the IdP. Only after that look at Moodle and how to
integrate the SP with that.
Maybe someone can recommend a Moodle plugin for SSP (why should there
ever be more than one?), I've only ever used Moodle with the
Shibboleth SP and Moodle comes with the plugin for that upstream/out
of the box.
-peter
> > - Installing and configuring simpleSAMLphp on a server
>
> http://simplesamlphp.org/docs/stable/simplesamlphp-install
If you're setting up and running an IdP of your own you'll have to SSP
>
> http://simplesamlphp.org/docs/stable/simplesamlphp-install
installs, one configured as an IdP (see the docs), one (protecting
Moodle) set up as an SP.
http://simplesamlphp.org/docs/stable/simplesamlphp-idp
http://simplesamlphp.org/docs/stable/simplesamlphp-sp
If you're using an existing IdP (run elsewhere) you only need the
latter.
I would try to get that running and integrated so that logins to the
SP work, using the IdP. Only after that look at Moodle and how to
integrate the SP with that.
Maybe someone can recommend a Moodle plugin for SSP (why should there
ever be more than one?), I've only ever used Moodle with the
Shibboleth SP and Moodle comes with the plugin for that upstream/out
of the box.
-peter
comel
Sep 27, 2013, 7:37:18 AM9/27/13
to simple...@googlegroups.com, peter....@univie.ac.at
On Friday, September 27, 2013 1:03:37 PM UTC+2, Peter Schober wrote:
Maybe someone can recommend a Moodle plugin for SSP (why should there
ever be more than one?), I've only ever used Moodle with the
Shibboleth SP and Moodle comes with the plugin for that upstream/out
of the box.
Sixto Martin
Sep 27, 2013, 7:44:11 AM9/27/13
to simple...@googlegroups.com
If you explain your problems we can debug and fix them. That plugin is working properly in many institutions.
If problems are related to simpleSAMLphp we can talk here, if are related to the plugin configuration you can mail me.--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.
--
Sixto Pablo Martín García
Ingeniero Informático
Yaco Sistemas SL
41001 Sevilla
Raj Sekhar
Jan 17, 2014, 7:46:53 AM1/17/14
to simple...@googlegroups.com
Hi There,
We are having the same struggle in getting the actual value entered in the application to logging in. -- Please find the image attached.
This is taken from the saml tracer of firefox. We are entering a Email id of the user and we are getting a persistent value of b9717f5f6851d39b68c711040240501cb12874a0.
Not sure why am I getting the encrypted value for this value and we are not able to login to the application.
I just need to find is this the configuration mistake made on Service provider or Identity provider.
I found something from google to have the value from IDP to be encrypted in the below URL:
http://simplesamlphp.org/docs/1.5/simplesamlphp-reference-sp-remote#section_2_1
Please help me how to handle this from my end which is IDP to decrypt the value coming from SP.
Thanks in advance.
Raja
We are having the same struggle in getting the actual value entered in the application to logging in. -- Please find the image attached.
This is taken from the saml tracer of firefox. We are entering a Email id of the user and we are getting a persistent value of b9717f5f6851d39b68c711040240501cb12874a0.
Not sure why am I getting the encrypted value for this value and we are not able to login to the application.
I just need to find is this the configuration mistake made on Service provider or Identity provider.
I found something from google to have the value from IDP to be encrypted in the below URL:
http://simplesamlphp.org/docs/1.5/simplesamlphp-reference-sp-remote#section_2_1
Please help me how to handle this from my end which is IDP to decrypt the value coming from SP.
Thanks in advance.
Raja
Peter Schober
Jan 17, 2014, 9:01:56 AM1/17/14
to simple...@googlegroups.com
* Raj Sekhar <raj....@gmail.com> [2014-01-17 13:47]:
same problem.
The value is /not/ encrypted. If that string is not what you expect (it
certainly isn't a valid email address) you'll need to fix what the IdP
sends as a NameID.
-peter
> We are having the same struggle in getting the actual value entered in the
> application to logging in. -- Please find the image attached.
> This is taken from the saml tracer of firefox. We are entering a Email id
> of the user and we are getting a persistent value of
> *b9717f5f6851d39b68c711040240501cb12874a0.*Not sure why am I getting the
> application to logging in. -- Please find the image attached.
> This is taken from the saml tracer of firefox. We are entering a Email id
> of the user and we are getting a persistent value of
> encrypted value for this value and we are not able to login to the
> application.
This is not about decryption (nor Moodle), so you're not having the
> application.
same problem.
The value is /not/ encrypted. If that string is not what you expect (it
certainly isn't a valid email address) you'll need to fix what the IdP
sends as a NameID.
-peter
Raj Sekhar
Jan 17, 2014, 9:40:10 AM1/17/14
to simple...@googlegroups.com, peter....@univie.ac.at
Really appreciate your quick response.
The response from client states that it is a problem with service provider not the IDP -- because they are holding the IDP and we are holding the SP.
So to get a clear explanation of what is wrong from their end, I need few inputs from your side.
Where exactly there would be the value in the IDP to set if the property to email id?
We have provided them few parameters to configure the NameIDFormat from the IDP as below:
1. urn:oasis:names:tc:SAML:2.0:nameid-format:transient
2. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
3. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
We requested them to provide the emailAddress parameter. Even after that we were really struggling to get to a solution for this.
P.S: They are using MySQL as a db to hold the username and other credentials.
It would be a very great working with you ofline at raj....@gmai.com if you don't have any issues.
The response from client states that it is a problem with service provider not the IDP -- because they are holding the IDP and we are holding the SP.
So to get a clear explanation of what is wrong from their end, I need few inputs from your side.
Where exactly there would be the value in the IDP to set if the property to email id?
We have provided them few parameters to configure the NameIDFormat from the IDP as below:
1. urn:oasis:names:tc:SAML:2.0:nameid-format:transient
2. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
3. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
We requested them to provide the emailAddress parameter. Even after that we were really struggling to get to a solution for this.
P.S: They are using MySQL as a db to hold the username and other credentials.
It would be a very great working with you ofline at raj....@gmai.com if you don't have any issues.
Peter Schober
Jan 17, 2014, 10:57:41 AM1/17/14
to simple...@googlegroups.com
* Raj Sekhar <raj....@gmail.com> [2014-01-17 15:40]:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress with the string
value "b9717f5f6851d39b68c711040240501cb12874a0", which clearly is not
an email address. It's as simple as that. There's nothing anyone can
add to that (or make this the SP's fault, somehow).
> So to get a clear explanation of what is wrong from their end, I
> need few inputs from your side.
You have eyes and a brain yourself: Does the NameID value sent look
like an email address to you? It does not, hence your (mistaken)
assumption that it /might/ still be an email address, but possibly an
encrypted one. Well, that is not the case.
(If they expect you to do post-processing on string values -- that are
not literally email addresses -- according to some private business
arrangement outside SAML you'll have to ask the IDP about that.)
> Where exactly there would be the value in the IDP to set if the
> property to email id?
Not sure I understand that sentence.
If you're asking what the IdP would need to do to send an email
address as a NameID value that depends on the SAML implementation the
IDP is using.
> Please help me how to handle this from my end which is IDP to
> decrypt the value coming from SP.
This is not how open source community support works.
If you intend to buy commercial support the SSP website lists a couple
providers (though with the exception of Yaco none of these ever showed
up or contributed anything here, AFAICT; nyrup sent a bug report 6
years ago, from the others I can't find any emails or issue reports --
unless they're using gmail or some other generic provider, of course.).
-peter
> The response from client states that it is a problem with service
> provider not the IDP -- because they are holding the IDP and we are
> holding the SP.
The assertion had a NameID of name format
> provider not the IDP -- because they are holding the IDP and we are
> holding the SP.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress with the string
value "b9717f5f6851d39b68c711040240501cb12874a0", which clearly is not
an email address. It's as simple as that. There's nothing anyone can
add to that (or make this the SP's fault, somehow).
> So to get a clear explanation of what is wrong from their end, I
> need few inputs from your side.
like an email address to you? It does not, hence your (mistaken)
assumption that it /might/ still be an email address, but possibly an
encrypted one. Well, that is not the case.
(If they expect you to do post-processing on string values -- that are
not literally email addresses -- according to some private business
arrangement outside SAML you'll have to ask the IDP about that.)
> Where exactly there would be the value in the IDP to set if the
> property to email id?
If you're asking what the IdP would need to do to send an email
address as a NameID value that depends on the SAML implementation the
IDP is using.
> Please help me how to handle this from my end which is IDP to
> decrypt the value coming from SP.
If you intend to buy commercial support the SSP website lists a couple
providers (though with the exception of Yaco none of these ever showed
up or contributed anything here, AFAICT; nyrup sent a bug report 6
years ago, from the others I can't find any emails or issue reports --
unless they're using gmail or some other generic provider, of course.).
-peter
Raj Sekhar
Jan 17, 2014, 1:02:21 PM1/17/14
to simple...@googlegroups.com, peter....@univie.ac.at
That's really a great explanation. and i got this fixed from the configurations change from the IDP side as below:
'NameIDFormat'=>'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'simplesaml.nameidattribute'=>'username',
'simplesaml.attributes'=>TRUE,
'encryption'=>false,
The value which has been bold in the above has been added just below the NameIDFormat container.
Hope this helps for other people.
'NameIDFormat'=>'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'simplesaml.nameidattribute'=>'username',
'simplesaml.attributes'=>TRUE,
'encryption'=>false,
The value which has been bold in the above has been added just below the NameIDFormat container.
Hope this helps for other people.
Peter Schober
Jan 17, 2014, 1:22:04 PM1/17/14
to simple...@googlegroups.com
* Raj Sekhar <raj....@gmail.com> [2014-01-17 19:02]:
* Raj Sekhar <raj....@gmail.com> [2014-01-17 15:40]:
> The response from client states that it is a problem with service
> provider not the IDP -- because they are holding the IDP and we are
> holding the SP.
and never even mentioned what SAML implementation the IDP was using.
More importantly, you posted an unencrypted NameID which you got from
the webbrowser (i.e., in transit from the IdP to the SP):
* Raj Sekhar <raj....@gmail.com> [2014-01-17 13:47]:
the IdP, otherwise SAML tracer couldn't have shown the content. (Also
it would have been an <saml:EncryptedID> then.)
SAML tracer has no access (or method) to decrypt anything in transit
as it does not have access to the SP's private key (if the SP even has
a key pair for SAML protocol messages).
The content (CDATA) of the NameID is a string, but not an email
address for reasons private to the IDP.
So adding that one line above (whatever that does; I can't find this
parameter in the documentation) cannot sensibly make the NameID value
(it's CDATA) from what you showed before to what you said it is now
(an email address).
Anyway, glad you got it to work, however that happened.
-peter
> That's really a great explanation. and i got this fixed from the
> configurations change from the IDP side as below:
>
> 'NameIDFormat'=>'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
> 'simplesaml.nameidattribute'=>'username',
> 'simplesaml.attributes'=>TRUE,
> *'encryption'=>false,*
> configurations change from the IDP side as below:
>
> 'NameIDFormat'=>'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
> 'simplesaml.nameidattribute'=>'username',
> 'simplesaml.attributes'=>TRUE,
>
> The value which has been bold in the above has been added just below the
> NameIDFormat container.
> Hope this helps for other people.
I doubt it. First you said you're only controlling the SP:
> The value which has been bold in the above has been added just below the
> NameIDFormat container.
> Hope this helps for other people.
* Raj Sekhar <raj....@gmail.com> [2014-01-17 15:40]:
> The response from client states that it is a problem with service
> provider not the IDP -- because they are holding the IDP and we are
> holding the SP.
More importantly, you posted an unencrypted NameID which you got from
the webbrowser (i.e., in transit from the IdP to the SP):
* Raj Sekhar <raj....@gmail.com> [2014-01-17 13:47]:
> Please find the image attached. This is taken from the saml tracer
> of firefox.
And none of the information in that screenshot has been encrypted by
> of firefox.
the IdP, otherwise SAML tracer couldn't have shown the content. (Also
it would have been an <saml:EncryptedID> then.)
SAML tracer has no access (or method) to decrypt anything in transit
as it does not have access to the SP's private key (if the SP even has
a key pair for SAML protocol messages).
The content (CDATA) of the NameID is a string, but not an email
address for reasons private to the IDP.
So adding that one line above (whatever that does; I can't find this
parameter in the documentation) cannot sensibly make the NameID value
(it's CDATA) from what you showed before to what you said it is now
(an email address).
Anyway, glad you got it to work, however that happened.
-peter
Reply all
Reply to author
Forward
0 new messages