How to Set Up IDP-initiated SSO POST?
3,726 views
Skip to first unread message
David P
Jun 3, 2013, 11:59:51 AM6/3/13
to simple...@googlegroups.com
Our most recent SP uses this type of authentication method instead of our usual way of A) redirect to SP, B) redirect back to our IdP with samlresponse token
They provided me these two example pages on how it works:
My question is how would I configure simplesaml to function this way? I only know how to get the login page to appear after we have the AuthState querystring in the address bar.
Daniel Tsosie
Jun 3, 2013, 1:29:49 PM6/3/13
to simple...@googlegroups.com
That is what a normal sp-idp relationship looks like.
http://simplesamlphp.org/docs/stable/simplesamlphp-sp
2,3,4 are the relevant steps to adding an IdP to your SP.
http://simplesamlphp.org/docs/stable/simplesamlphp-sp
2,3,4 are the relevant steps to adding an IdP to your SP.
Tom Scavo
Jun 3, 2013, 4:10:18 PM6/3/13
to simpleSAMLphp
On Mon, Jun 3, 2013 at 11:59 AM, David P <david.p...@gmail.com> wrote:
> Our most recent SP uses this type of authentication method instead of our
> usual way of A) redirect to SP, B) redirect back to our IdP with
> samlresponse token
>
> They provided me these two example pages on how it works:
>
> http://documentation.pingidentity.com/display/PF66/IdP-Initiated+SSO--POST
> http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding
>
> My question is how would I configure simplesaml to function this way?
Is this what you're looking for?
> Our most recent SP uses this type of authentication method instead of our
> usual way of A) redirect to SP, B) redirect back to our IdP with
> samlresponse token
>
> They provided me these two example pages on how it works:
>
> http://documentation.pingidentity.com/display/PF66/IdP-Initiated+SSO--POST
> http://saml.xml.org/wiki/idp-initiated-single-sign-on-post-binding
>
> My question is how would I configure simplesaml to function this way?
http://simplesamlphp.org/docs/stable/simplesamlphp-idp-more#section_4
Hope this helps,
Tom
David P
Jun 3, 2013, 4:25:26 PM6/3/13
to simple...@googlegroups.com
A much easier approach, if it works! I seems fundamentally different from the above recommendation, but I am not sure which one will be successful yet.
Where do I acquire the actual value of 'urn:mace:feide.no:someservice' in the example querystring? I have two string formats that are similar to this in our sp-remote file; Binding and NameIDFormat indexes. Should I look somewhere else?
David P
Jun 3, 2013, 4:26:12 PM6/3/13
to simple...@googlegroups.com
Thank you for the page reference! I'm starting to go through it and have questions based on our current setup of SP-Initiated SSO Redirect POST
- Is it easier for me reinstall from scratch instead of modifying what I already have configured (saml20-sp-remote / saml20-idp-hosted)?
- If the answer is 'no' for #1, in #2, where do I acquire the certFingerprint value?
- In #4, is the Feide OpenIdP login necessary to get the necessary metadata, or is this only for testing purposes with OpenIdP?
Tom Scavo
Jun 3, 2013, 4:30:58 PM6/3/13
to simpleSAMLphp
On Mon, Jun 3, 2013 at 4:25 PM, David P <david.p...@gmail.com> wrote:
> A much easier approach, if it works! I seems fundamentally different from
> the above recommendation, but I am not sure which one will be successful
> yet.
It's up to the IdP how to initiate an unsolicited response, and since
> A much easier approach, if it works! I seems fundamentally different from
> the above recommendation, but I am not sure which one will be successful
> yet.
it's not defined in the standard, every IdP implementation has its own
approach. This matters not to the SP, however---all the SP cares about
is the resulting SAML assertion.
> Where do I acquire the actual value of 'urn:mace:feide.no:someservice' in
> the example querystring?
Tom
David P
Jun 4, 2013, 8:46:39 AM6/4/13
to simple...@googlegroups.com
Am I still considered the IdP when the SP is performing both functions in this instance?
Tom Scavo
Jun 4, 2013, 9:27:53 AM6/4/13
to simpleSAMLphp
On Tue, Jun 4, 2013 at 8:46 AM, David P <david.p...@gmail.com> wrote:
> Am I still considered the IdP when the SP is performing both functions in
> this instance?
Sorry, you lost me. The IdP is issuing an unsolicited SAML response to
> Am I still considered the IdP when the SP is performing both functions in
> this instance?
the SP. By "unsolicited" I mean the SP doesn't issue an AuthnRequest
as usual. The IdP says "hey, you didn't ask for one, but here's a SAML
assertion for my user."
Tom
David P
Jun 4, 2013, 12:45:51 PM6/4/13
to simple...@googlegroups.com
I tried the query string append seems to work correctly.
But after I log in with credentials, the page fails to reload and I get this in my saml error log:
Jun 04 12:37:23 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO-first http://www.webtma.net http://xxx.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
Jun 04 12:37:23 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO http://www.webtma.net http://xxx.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
Tom Scavo
Jun 4, 2013, 3:03:00 PM6/4/13
to simpleSAMLphp
On Tue, Jun 4, 2013 at 12:45 PM, David P <david.p...@gmail.com> wrote:
> I tried the query string append seems to work correctly.
>
> http:/xxx.jefferson.edu/simplesaml/saml2/idp/SSOService.php?spentityid=http://www.webtma.net
>
> But after I log in with credentials, the page fails to reload and I get this
> in my saml error log:
>
> Jun 04 12:37:23 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO-first
> http://www.webtma.net
> http://xxx.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
> Jun 04 12:37:23 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO
> http://www.webtma.net
> http://xxx.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
Someone else with more knowledge about SSP will have to take a look at that.
> I tried the query string append seems to work correctly.
>
> http:/xxx.jefferson.edu/simplesaml/saml2/idp/SSOService.php?spentityid=http://www.webtma.net
>
> But after I log in with credentials, the page fails to reload and I get this
> in my saml error log:
>
> Jun 04 12:37:23 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO-first
> http://www.webtma.net
> http://xxx.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
> Jun 04 12:37:23 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO
> http://www.webtma.net
> http://xxx.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
Tom
David P
Jun 4, 2013, 4:44:30 PM6/4/13
to simple...@googlegroups.com
This is an example URL I get back from the SP after initiating. My credentials are being validated correctly (I entered wrong data intentionally):
http://ipdomain.com/simplesaml/module.php/core/loginuserpass.php?AuthState=_d07ea9413c39e0df8c2fbb740a720ff67e7b07e6db%3Ahttp%3A%2F%2Fipdomain.com%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttp%253A%252F%252Fspdoain.com%26cookieTime%3D1370376118
Upon submit I get a "connection was reset" error in the browser.
Upon submit I get a "connection was reset" error in the browser.
David P
Jun 5, 2013, 4:12:47 PM6/5/13
to simple...@googlegroups.com
I retrieve more relevant log data as well as installing SAML tracer.
SAML Tracer:
GET http://cvm145.jefferson.edu/simplesaml/saml2/idp/SSOService.php?spentityid=http://www.webtma.net HTTP/1.1
GET http://cvm145.jefferson.edu/simplesaml/module.php/core/loginuserpass.php?AuthState=_3b8f85bd1797417bd9460921276ea07c75400b6de3%3Ahttp%3A%2F%2Fcvm145.jefferson.edu%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttp%253A%252F%252Fwww.webtma.net%26cookieTime%3D1370462820 HTTP/1.1
After I submit my login form, no more tracing entries occur.
======================================================================
simplesamlphp.log
Jun 05 16:07:27 simplesamlphp DEBUG [722abf7b8c] Loading state: '_3b8f85bd1797417bd9460921276ea07c75400b6de3:http://cvm145.jefferson.edu/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2Fwww.webtma.net&cookieTime=1370462820'
Jun 05 16:07:27 simplesamlphp DEBUG [722abf7b8c] Loading state: '_3b8f85bd1797417bd9460921276ea07c75400b6de3:http://cvm145.jefferson.edu/simplesaml/saml2/idp/SSOService.php?spentityid=http%3A%2F%2Fwww.webtma.net&cookieTime=1370462820'
Jun 05 16:07:27 simplesamlphp DEBUG [722abf7b8c] Library - LDAP __construct(): Setup LDAP with host='jds.jefferson.edu', tls=false, debug=false, timeout=0
Jun 05 16:07:27 simplesamlphp DEBUG [722abf7b8c] Library - LDAP bind(): Bind successful with DN 'uid=abc123,ou=people,dc=jefferson,dc=edu'
Jun 05 16:07:27 simplesamlphp DEBUG [722abf7b8c] Library - LDAP getAttributes(): Getting all attributes from DN 'uid=abc123,ou=people,dc=jefferson,dc=edu'
Jun 05 16:07:28 simplesamlphp DEBUG [722abf7b8c] Library - LDAP getAttributes(): Found attributes '(userPassword,postalCode,tjuAccess,mailHost,rfc822MailAlias,cn,displayName,eduPersonAffiliation,givenName,ou,sn,tjuAcctStatus,tjuCampusKey,tjuDOB,tjuGender,tjuMiddleName,tjuNamePrefix,uid,mail,lmPassword,ntPassword,tjuPassword,tjuModTimestamp,tjuAcctExpDate,tjuIdentID,tjuPeopleSoftID,objectClass)'
Jun 05 16:07:28 simplesamlphp DEBUG [722abf7b8c] Deleting state: '_3b8f85bd1797417bd9460921276ea07c75400b6de3'
Jun 05 16:07:28 simplesamlphp DEBUG [722abf7b8c] Session: doLogin("jefferson-ldap")
Jun 05 16:07:28 simplesamlphp DEBUG [722abf7b8c] Session: Valid session found with 'jefferson-ldap'.
Jun 05 16:07:28 simplesamlphp DEBUG [722abf7b8c] Session: Valid session found with 'jefferson-ldap'.
Jun 05 16:07:28 simplesamlphp DEBUG [722abf7b8c] Filter config for http://cvm145.jefferson.edu/simplesaml/saml2/idp/metadata.php->http://www.webtma.net: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 30, )), 1 => sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' => 45, )), 2 => sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 3 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )),)
Jun 05 16:07:28 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO-first http://www.webtma.net http://cvm145.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
Jun 05 16:07:28 simplesamlphp NOTICE STAT [722abf7b8c] saml20-idp-SSO http://www.webtma.net http://cvm145.jefferson.edu/simplesaml/saml2/idp/metadata.php NA
Jun 05 16:07:28 simplesamlphp INFO [722abf7b8c] Sending SAML 2.0 Response to 'http://www.webtma.net'
Same with above, after I submit my login page, I get a connection reset error and the logging ends above.
=================================================
Daniel Tsosie
Jun 5, 2013, 5:18:40 PM6/5/13
to simple...@googlegroups.com
I suspect your PHP Error log will have the real cause of the problem. Maybe a binary field from ldap?
-Dan Tsosie
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
simplesamlph...@googlegroups.com.
To post to this group, send email to
simple...@googlegroups.com.
Visit this group at
http://groups.google.com/group/simplesamlphp?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
David P
Jun 6, 2013, 9:24:52 AM6/6/13
to simple...@googlegroups.com, dts...@godaddy.com
I did not have PHP logging enabled until now, so I'll have to run a few more tests.
Diego Arbelaez
Sep 24, 2013, 3:54:45 PM9/24/13
to simple...@googlegroups.com
Where is that unsolicited request sent (POST) to?
On Tuesday, June 4, 2013 9:27:53 AM UTC-4, Tom Scavo wrote:
Peter Schober
Sep 24, 2013, 6:25:55 PM9/24/13
to simple...@googlegroups.com
* Diego Arbelaez <diegoa...@gmail.com> [2013-09-24 23:10]:
> I have a somewhat novice question - I've been able to successfully
> implement SimpleSAMLphp SSO when the SP (me) initiates the SSO request - I
> am now in the process of implementing it when the IdP (remote client)
> initiates the SSO request via post - client supplies the encrypted
> "SAMLResponse" via a post - 2 questions, where should they be posting it to
> exactly(i.e. sample url)
The Location or Binding for the transmission of the SAML response
(from the IdP) does not change only because no prior authentication
request (from the SP) was recieved.
-peter
> Where is that unsolicited request sent (POST) to?
To the AssertionConsumerService Location of that Binding.
> I have a somewhat novice question - I've been able to successfully
> implement SimpleSAMLphp SSO when the SP (me) initiates the SSO request - I
> am now in the process of implementing it when the IdP (remote client)
> initiates the SSO request via post - client supplies the encrypted
> "SAMLResponse" via a post - 2 questions, where should they be posting it to
> exactly(i.e. sample url)
(from the IdP) does not change only because no prior authentication
request (from the SP) was recieved.
-peter
shruti gupta
Nov 22, 2013, 4:36:42 AM11/22/13
to simple...@googlegroups.com
Hi,
I am also facing the problem when setting up the IDP(Identity Provider) to initiate SSO(Single Sign On).
We have setup my own idp using the following URL:
I am configuring to connect to SP(service provider) as springcm. On the Springcm, I am using the following details:
IdP name : http://www.springcm.com
URL Identifier : https://www.springcm.com/atlas/sso/Prod
Single Sign-On URL : https://na11.springcm.com/atlas/Dashboard/Dashboard.aspx?aid=xxxx
Single Logout URL : https://na11.springcm.com/atlas/SSO/Logout.ashx
Certificate Fingerprint : 00:00:00:00:00:00:00:some value:00
Here I do not get any errors but the idp does not call the sp at all using the simplesamlphp code.
How should I test and call the sp when a user logs in. Please can somebody help. we are stuck...
Peter Schober
Nov 22, 2013, 5:25:13 AM11/22/13
to simple...@googlegroups.com
* shruti gupta <shrutis...@gmail.com> [2013-11-22 10:43]:
"https://www.springcm.com/atlas/sso/Prod" as the entityID (globally
unique name) of the SP.
I don't know what it should be (the vendor will be able to tell you).
> URL Identifier : https://www.springcm.com/atlas/sso/Prod
URL identifier doesn't say what this is for either. Ask the vendor.
Looks like a URL to trigger SP-initiated logins.
That one actually has a name that means something.
> Here I do not get any errors but the idp does not call the sp at all
> using the simplesamlphp code.
First, you'll need correct SAML metadata for the SP, including an ACS
URL. Only the SP will be able to tell you what is correct.
Then you'll need to describe the technical steps you have done so far,
and what the actual errors or behaviour were you've got.
Also include what SSP documentation you've consulted so far.
-peter
> I am configuring to connect to SP(service provider) as springcm. On
> the Springcm, I am using the following details:
>
> IdP name : http://www.springcm.com
In the screenshot you sent in the other email/thread you have
> the Springcm, I am using the following details:
>
> IdP name : http://www.springcm.com
"https://www.springcm.com/atlas/sso/Prod" as the entityID (globally
unique name) of the SP.
I don't know what it should be (the vendor will be able to tell you).
> URL Identifier : https://www.springcm.com/atlas/sso/Prod
URL identifier doesn't say what this is for either. Ask the vendor.
Looks like a URL to trigger SP-initiated logins.
That one actually has a name that means something.
> Here I do not get any errors but the idp does not call the sp at all
> using the simplesamlphp code.
URL. Only the SP will be able to tell you what is correct.
Then you'll need to describe the technical steps you have done so far,
and what the actual errors or behaviour were you've got.
Also include what SSP documentation you've consulted so far.
-peter
Reply all
Reply to author
Forward
0 new messages