Exception: Empty SOAP response, check peer certificate.

[rofans...@gmail.com]

Hi all,

I am trying to integrate OpenAM 13 (as IDP) to SimpleSAMLphp as SP.

I have ensured metadata exchanged properly between the two, and I was testing IDP initiated SSO login.

I used HTTP-Artifact binding.

Upon entering my credentials at OpenAM login page I was redirected to my SimpleSAMLphp landing page instead, but it presented me with the following error.

I am not very sure what has happened. Please help me to solve this issue.

FYI on my configuration:

1. IDP (OpenAM 13): https://openam-sa.entiis1.com:8443/openam/

2. SP (simpleSAMLphp): http://saml-sp-sa.entiismachine.com/simplesaml/module.php/saml/sp/metadata.php/default-sp

My IDP is running on TLS using a self signed certificate, I am quite confident from my IDP side there is nothing wrong.

I have attached authsources.php, config.php & saml20-idp-remote.php for my simpleSAMLphp SP configuration.

Any advices will be highly appreciated.

Best Regards,

Rofans Manao

Unhandled exception

An unhandled exception was thrown.

If you report this error, please also report this tracking number which makes it possible to locate your session in the logs available to the system administrator:

25b685443f

Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/simplesamlphp/www/module.php:170 (N/A)
Caused by: Exception: Empty SOAP response, check peer certificate.
Backtrace:
3 /var/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/SOAPClient.php:118 (SAML2_SOAPClient::send)
2 /var/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/HTTPArtifact.php:120 (SAML2_HTTPArtifact::receive)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:31 (require)
0 /var/simplesamlphp/www/module.php:127 (N/A)

[Peter Schober]

* rofans...@gmail.com <rofans...@gmail.com> [2016-02-24 19:38]:
> I used HTTP-Artifact binding.

May I ask why?

-peter

[Shoaib Ali]

Hi Rofans,

I am also interested in knowing why you would rather use Artifact binding.

Artifact binding requires three-way SSL handshake. You might want to check the following

- Are the assertions being signed?

- Why the IdP is responding with an empty response (check IdP logs)

- Appropriate certificates are in place and trust can be established between SP and IdP.

- Shoaib

--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Rofans Manao]

Hi Shohaib/Peter,

Not yet verified or affirmed by ForgeRock, but seems like there is a bug in using HTTP-POST binding at OpenAM 13.

This is not confirmed, so please don't use my email as a reference or cite my statement in any other form of communication outside of this posting. Thanks.

Shohaib, regarding to your questions, my response is in blue.

- Are the assertions being signed?

No.

- Why the IdP is responding with an empty response (check IdP logs). 

No SOAP message retrieved by IDP. I am suspecting transmission failed before SP can send SOAP message. Also, may I ask whether SimpleSAMLphp logs incoming/outgoing message?

- Appropriate certificates are in place and trust can be established between SP and IdP.

I have included IDP certificate finger print in saml20-idp-remote.php. Is this not enough? Please advise if so.

If I may ask, what does the PHP file that throws the error (SOAPClient.php) actually does when firing SOAP request to SP. I am not PHP savvy, but seems like there is some processing to verify/check peer certificate. Please help to give some ideas on this.

Regards,

Rofans Manao

[Shoaib Ali]

There are other bindings too, although HTTP-Post is what I would recommend.

Sorry,I don't know the answer to logging of incoming/outgoing messages in the context of Artifact Binding. The only logging I can see in SOAPClient is in the send() function.

Unfortunately, me being the original author of SOAPClient, I should know it inside-out.  Refreshing my memory by looking at the code it looks like you will need these configuration parameters in config.php

            saml.SOAPClient.certificate

            saml.SOAPClient.privatekey_pass

I have been able to find some references in documentation regarding them here https://simplesamlphp.org/docs/stable/saml:sp

            $ctxOpts['ssl']['verify_peer'] = TRUE;

            $ctxOpts['ssl']['verify_depth'] = 1;

            $ctxOpts['ssl']['cafile'] = $peerCertFile;

In the essence the purpose behind SOAPClient php file was to communicate with IdP over a secure channel. Hence this requires validation of SSL keys and certificates etc. It also does parsing of SOAP responses/messages and identify any Faults. 

Just to eliminate OpenAM out of the question, you can also try and setup SimpleSAMLphp as an IdP and try to authenticate against SimpleSAMLphp IdP using Artifact binding.

I hope I could be of more help.

Regards,

Shoaib

 

[Rofans Manao]

Hi Shohaib,

Thanks for the kind response.

Your explanation totally makes sense.

I have tried your suggestion, but sadly I still get the same check peer certificate error.

Some clarifications that I would like to ask if I may.

1. Were you referring to authsources.php instead of config.php? I configured my SP at authsources.php.
2. Also what is the format accepted for this property? I tried using P12/PFX format. I used Java Keytool to generate the file. The command I used: ./keytool -importkeystore -srckeystore /root/.keystore -alias openam-sa.entiis.com -destkeystore /root/openam-idp.p12 -deststoretype PKCS12.
3. I have attached my authsources.php and my PFX key file (password => 'password').

Please help to advise whether I have used wrong property/format or whether I have executed some steps wrongly in troubleshooting this error.

Best Regards,

Rofans Manao

[Rofans Manao]

Sorry for spamming, missing my attachments earlier.

Regards,

Rofans Manao

[Shoaib Ali]

Hi Rofans,

I am sorry, yes they are suppose to go in to authsources. I noticed you are missing this as well

   'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',

Please see: https://simplesamlphp.org/docs/stable/simplesamlphp-artifact-sp

That explains how you should generate the certs too.

Another gotchya with 'saml.SOAPClient.certificate' is that it needs be a combination of private key and public key. So what you have is correct, PFX is a container for both. I myself just stick them in manually as a text.

Regards,

Shoaib

[Rofans Manao]

Hi Shohaib,

Thanks for the kind response.

I still get the same error sadly.

May you share with me sample text file of private and public key that you mentioned?

P12 is binary file, so I suspect I have used wrong format.

Regards,

Rofans Manao

[Rofans Manao]

Hi Shohaib,

Would like to follow up on below matter.

By any chance you can help share with me example of SOAP client certificate?

Regards,

Rofans Manao

[Shoaib Ali]

Sorry Rofans, weekend caught up to me.

Here is my example authsources.php https://gist.github.com/shoaibali/7df2a45fcd0a06bfde9a . Please note the certs and private keys are not valid they are just for illustrative purposes. 

I hope this helps.

Regards,

Shoaib