SimpleSamlphp-adfs

[mk]

I am trying to integrate my php application to ADFS. I was following this link
lewisroberts.com/2015/09/06/integrating-simplesamlphp-with-adfs-2012r2/  and simplesamlphp documentation.

I am not getting any result now. After I login i am directed to a page with the following error. (URL:https://192.168.7.54/simplesaml/module.php/saml/sp/saml2-acs.php/neuro-sp)

HTTP 500 error
That’s odd... the website can’t display this page
The site may be under maintenance or could have a programming error.
Try this
Go back to the last page

I am not able to find any logs in /var/logs/messages for this error.

In my adfs i have LDAP attributes and Outgoing claims as below:
Given Name -Given Name
Surname  - Surname
E-Mail-Addressses  - E-Mail Address

and Transformation rule :
incoming - E-Mail Address
outgoing -NameId
Outgoing -Transient

In Adfs event viewer i dont have any error..

From the Adfs federation metadata i have created saml2-idp-remote.php. (By parsing the xml and converting to php)

I have also edited the authsources.php

In my config.php i have edited
'enable.adfs-idp' => true,

i havent made any changes to saml20-sp-remote.php.

this the metadata that the SimpleSamlPhp has generated.

I am not sure , whether my all configuration is wrong.. if yes i request you to correct me.. I am not sure on which file should i include the ReturnTo URL.I am not sure inside which folder i should include the index.php so that after login, user will be directed to that page.I know for you all its very big doubts and very simple doubts.. please spend your few minutes to help me

All the documentation has mentioned the codes to be included. I am new to programming and simplesamlphp. Please help me.

[Jaime Perez Crespo]

Hi,

On 22 Sep 2016, at 10:24 AM, mk <mereena...@gmail.com> wrote:
> I am trying to integrate my php application to ADFS. I was following this link
> lewisroberts.com/2015/09/06/integrating-simplesamlphp-with-adfs-2012r2/ and simplesamlphp documentation.
> I am not getting any result now. After I login i am directed to a page with the following error. (URL:https://192.168.7.54/simplesaml/module.php/saml/sp/saml2-acs.php/neuro-sp)
> HTTP 500 error

That’s a web server error, so take a look at the error log of your web server. You will find what’s wrong there.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[mk]

Thanks very much for the fast reply Jaime... :)

Please help me with this error.. Previously i resolved this error by changing the claims.

I am testing the adfs login , using the windows server credentials. my credentials are like TESTAD\Administrator and password.

In my adfs i have LDAP attributes and Outgoing claims as below:
Given Name -Given Name
Surname  - Surname
E-Mail-Addressses  - E-Mail Address
and Transformation rule :
incoming - E-Mail Address
outgoing -NameId
Outgoing -Transient

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: sspmod_saml_Error: Responder
Backtrace:
3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
0 /var/simplesamlphp/www/module.php:137 (N/A)

[Jaime Perez Crespo]

Hi,

On 22 Sep 2016, at 11:07 AM, mk <mereena...@gmail.com> wrote:
> Thanks very much for the fast reply Jaime... :)
> Please help me with this error.. Previously i resolved this error by changing the claims.
> I am testing the adfs login , using the windows server credentials. my credentials are like TESTAD\Administrator and password.
> In my adfs i have LDAP attributes and Outgoing claims as below:
> Given Name -Given Name
> Surname - Surname
> E-Mail-Addressses - E-Mail Address
> and Transformation rule :
> incoming - E-Mail Address
> outgoing -NameId
> Outgoing -Transient
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
> Backtrace:
> 0 /var/simplesamlphp/www/module.php:180 (N/A)
> Caused by: sspmod_saml_Error: Responder
> Backtrace:
> 3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
> 2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
> 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
> 0 /var/simplesamlphp/www/module.php:137 (N/A)

That’s not a SimpleSAMLphp error either. That’s the IdP sending you an error response back, with basically no information at all. You will need to take a look at the IdP’s log to see what triggered the error.

[mk]

Thanks very much for the fast reply Jaime... :)

This is the error I found in IDP... Could you mind helping me with this. its a great help for me.

With a quick google search i found that its problem with ADFS. Please advice me

Error1:-

Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml

Relying Party:
https://192.168.7.54/simplesaml/module.php/saml/sp/metadata.php/neuralt-sp

Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'https://192.168.7.54/simplesaml/module.php/saml/sp/metadata.php/neuralt-sp'.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Error 2:

The Federation Service encountered an error while processing the SAML authentication request.

Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'https://192.168.7.54/simplesaml/module.php/saml/sp/metadata.php/neuralt-sp'.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

[mk]

please ignore the typo of sp name neuro-sp (everywhere its consistent ).Thanks :)

[Jaime Perez Crespo]

Hi,

On 22 Sep 2016, at 11:42 AM, mk <mereena...@gmail.com> wrote:
> Thanks very much for the fast reply Jaime... :)

> This is the error I found in IDP... Could you mind helping me with this. its a great help for me.
> With a quick google search i found that its problem with ADFS. Please advice me
> Error1:-
>
> Encountered error during federation passive request.
> Additional Data
> Protocol Name:
> Saml
> Relying Party:
> https://192.168.7.54/simplesaml/module.php/saml/sp/metadata.php/neuralt-sp
> Exception details:
> Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'https://192.168.7.54/simplesaml/module.php/saml/sp/metadata.php/neuralt-sp'.

Well, that’s an error on ADFS, and this is the SimpleSAMLphp mailing list, so you should really be asking someone at Microsoft or at some other ADFS forum rather than here.

I have no experience whatsoever with ADFS, so I can only guess, but I think the error message is pretty clear. It looks like either ADFS got the wrong certificate from you or that it is expecting some signature configuration that doesn’t match what you configured in SimpleSAMLphp.

[mk]

Thanks a lot Jaime,

Could you please advice me in which folder i should place my index.pho file and inside which file i should include the redirection link.

currently in the meta data generated by simplesamlphp i have these, is this the redirection part?

Is this part refering to the redirection. ?May I check with you is there any error with my claims?

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://192.168.7.54/simplesaml/module.php/saml/sp/saml2-logout.php/neuro-sp"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://192.168.7.54/simplesaml/module.php/saml/sp/saml2-acs.php/neuro-sp" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://192.168.7.54/simplesaml/module.php/saml/sp/saml1-acs.php/neuro-sp" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://192.168.7.54/simplesaml/module.php/saml/sp/saml2-acs.php/neuro-sp" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://192.168.7.54/simplesaml/module.php/saml/sp/saml1-acs.php/neuro-sp/artifact" index="3"/>

[Peter Schober]

* mk <mereena...@gmail.com> [2016-09-22 11:06]:

> Could you please advice me in which folder i should place my index.pho file
> and inside which file i should include the redirection link.
> currently in the meta data generated by simplesamlphp i have these, is this
> the redirection part?

No, metadata has nothing to do with the specific protected resource
someone is trying to access. The URLs Metadata contains describe the
endpoints where SAML implementations want SAML protocol messages to be
sent (and how).
The SAML Service Provider implementation (SimpleSAMLphp, in this case)
takes care of redirecting the subject's browser back to the initially
requested resource after all sessions have been created successfully.
(In case of starting at the IDP you yourself have to provide the
resource URL where one should end up after the SAML protocol exchanges
to the IDP, via whatever method the IDP provides for that.)

-peter