Error when testing Service Provider
761 views
Skip to first unread message
ammu.n...@gmail.com
May 22, 2017, 8:51:28 AM5/22/17
to SimpleSAMLphp
I have setup a Service Provider for a php application using Simple SAML. I have followed the steps in the documentation (https://simplesamlphp.org/docs/stable/simplesamlphp-sp), but I am getting an error when testing the authentication sources, after entering the credentials. I am not very familiar with SAML and SSO; could someone please guide me to figure out what is happening.
Is there any other way to test and ensure that the SP is configured correctly. Any help would be highly appreciated.
Thanks,
Ammu
Jaime Perez Crespo
May 23, 2017, 5:43:26 AM5/23/17
to SimpleSAMLphp
Hi,
On 22 May 2017, at 14:51 PM, ammu.n...@gmail.com wrote:
> I have setup a Service Provider for a php application using Simple SAML. I have followed the steps in the documentation (https://simplesamlphp.org/docs/stable/simplesamlphp-sp), but I am getting an error when testing the authentication sources, after entering the credentials. I am not very familiar with SAML and SSO; could someone please guide me to figure out what is happening.
That is NOT an error. That is the SAML request you are sending to the IdP. Nothing wrong about it.
> Is there any other way to test and ensure that the SP is configured correctly. Any help would be highly appreciated.
If there is really an error, it would help knowing what error is that. In any case, you’ll need to contact the IdP to know what’s going on if you don’t get to authenticate at the IdP.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 22 May 2017, at 14:51 PM, ammu.n...@gmail.com wrote:
> I have setup a Service Provider for a php application using Simple SAML. I have followed the steps in the documentation (https://simplesamlphp.org/docs/stable/simplesamlphp-sp), but I am getting an error when testing the authentication sources, after entering the credentials. I am not very familiar with SAML and SSO; could someone please guide me to figure out what is happening.
> Is there any other way to test and ensure that the SP is configured correctly. Any help would be highly appreciated.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
ammu.n...@gmail.com
May 24, 2017, 8:03:52 AM5/24/17
to SimpleSAMLphp
Hi Jaime,
Thanks for your reply. When I attempt to login, I get a message that an error has occurred. I could'nt find any further details of the error; just noticed the below from the SAML chrome extension installed. The GET request has a status of 200, which is OK; but the POST request has a status of 302. Would you be able to give some inputs as to what could be going wrong - at my end or at the IDP end. I have attached a screen grab of the response. Or can you please advise how to find whats wrong ?
Thanks a lot,
Ammu
Peter Schober
May 24, 2017, 8:39:46 AM5/24/17
to SimpleSAMLphp
* ammu.n...@gmail.com <ammu.n...@gmail.com> [2017-05-24 14:03]:
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#3xx_Redirection
> Would you be able to give some inputs as to what could be going
> wrong - at my end or at the IDP end. I have attached a screen grab
> of the response. Or can you please advise how to find whats wrong ?
If a MS-ADFS system gives you an error message it is the MS-ADFS
system's logs you'll need to look into. I.e., the system that produces
the error, which is not SimpleSAMLphp.
-peter
> Thanks for your reply. When I attempt to login, I get a message that an
> error has occurred. I could'nt find any further details of the error; just
> noticed the below from the SAML chrome extension installed. The GET request
> has a status of 200, which is OK; but the POST request has a status of 302.
HTTP 302 isn't an error, either:
> error has occurred. I could'nt find any further details of the error; just
> noticed the below from the SAML chrome extension installed. The GET request
> has a status of 200, which is OK; but the POST request has a status of 302.
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#3xx_Redirection
> Would you be able to give some inputs as to what could be going
> wrong - at my end or at the IDP end. I have attached a screen grab
> of the response. Or can you please advise how to find whats wrong ?
system's logs you'll need to look into. I.e., the system that produces
the error, which is not SimpleSAMLphp.
-peter
ammu.n...@gmail.com
May 24, 2017, 9:31:58 AM5/24/17
to SimpleSAMLphp, peter....@univie.ac.at
Hi Peter,
I just noticed that there is an error loading the SAML 2.0 IDP metadata..
It says:
Error loading metadata
There is some misconfiguration of your SimpleSAMLphp installation.Debug information
The debug information below may be of interest to the administrator / help desk:
SimpleSAML_Error_Error: METADATA
Backtrace: 0 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/www/saml2/idp/metadata.php:222 (N/A) Caused by: Exception: saml20-idp-hosted/'https://rest.peoplerecognition.com.au/simplesaml/saml2/idp/metadata.php': Unable to load certificate/public key from file "/usr/lib/vendor/symfony/lib/vendor/simplesamlphp/cert/server.crt". Backtrace: 2 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/lib/SimpleSAML/Configuration.php:1246 (SimpleSAML_Configuration::getPublicKeys) 1 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/lib/SimpleSAML/Utils/Crypto.php:210 (SimpleSAML\Utils\Crypto::loadPublicKey) 0 /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/www/saml2/idp/metadata.php:41 (N/A)
The error as i understand that the public certificate 'server.crt' is missing, and of course it is missing. I don't quite understand where we can generate this certificate however. Sorry about my ignorance in this, but could you please advise how to generate / obtain this certificate ? Also, just checking if and where I need to include the token signing certificate provided from our IDP end ?
Thanks heaps, Ammu
Peter Schober
May 24, 2017, 10:46:49 AM5/24/17
to SimpleSAMLphp
* ammu.n...@gmail.com <ammu.n...@gmail.com> [2017-05-24 15:32]:
(specifically MS-ADFS, from your screenshot)?
Then why do you have an saml20-idp-hosted.php config file?
> Unable to load certificate/public key from file
> "/usr/lib/vendor/symfony/lib/vendor/simplesamlphp/cert/server.crt". [...]
(IDP), the Quick Start documentation covers that in sections 4 and 5:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp
But, again, I thought you wanted to deploy a Service Provider and test
it with an external IDP?
> Also, just checking if and where I need to include the token signing
> certificate provided from our IDP end ?
If you intend to use the SAML 2.0 protocol between your SimpleSAMLphp
SAML Service Provider and the MS-ADFS SAML Identity Provider then you
need to give SAML 2.0 Metadata describing the IDP to the SP (and
likely vice versa). That's all.
The documentation covers how to add IDPs to your SP.
So either that "token signing" thing is already covered with that, or
it doesn't have anything to do with using SAML 2.0 with SimpleSAMLphp.
-peter
> Caused by: Exception:
> saml20-idp-hosted/'https://rest.peoplerecognition.com.au/simplesaml/saml2/idp/metadata.php':
I thought you're the SP and the IDP is some remote system
> saml20-idp-hosted/'https://rest.peoplerecognition.com.au/simplesaml/saml2/idp/metadata.php':
(specifically MS-ADFS, from your screenshot)?
Then why do you have an saml20-idp-hosted.php config file?
> Unable to load certificate/public key from file
>
> The error as i understand that the public certificate 'server.crt'
> is missing, and of course it is missing.
Well, if you wanted to configure SimpleSAMLphp as an Identity Provider
> The error as i understand that the public certificate 'server.crt'
> is missing, and of course it is missing.
(IDP), the Quick Start documentation covers that in sections 4 and 5:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp
But, again, I thought you wanted to deploy a Service Provider and test
it with an external IDP?
> Also, just checking if and where I need to include the token signing
> certificate provided from our IDP end ?
SAML Service Provider and the MS-ADFS SAML Identity Provider then you
need to give SAML 2.0 Metadata describing the IDP to the SP (and
likely vice versa). That's all.
The documentation covers how to add IDPs to your SP.
So either that "token signing" thing is already covered with that, or
it doesn't have anything to do with using SAML 2.0 with SimpleSAMLphp.
-peter
ammu.n...@gmail.com
May 24, 2017, 5:59:53 PM5/24/17
to SimpleSAMLphp, peter....@univie.ac.at
Hi,
I am the SP and the IDP is my client that uses ADFS.
The exception is being thrown from this file - /usr/lib/vendor/symfony/lib/vendor/simplesamlphp/lib/SimpleSAML/Configuration.php
Re: the saml-20-ip-hosted.php file.. SimpleSAML was installed by an ex-colleague of mine and I am not very sure how this file happened to be there. I have added the metadata from my IDP only to metadata/saml20-idp-remote.php. Do i need to add it to metadata/shib13-idp-remote.php as well. Attached is a screen grab of my metadata folder. can you please advise if I need to remove saml-20-ip-hosted.php or any other files ?
I was just trying to figure our more about the error I was receiving when I attempted to login and test my SP, when I noticed this. The Show Metadata link under the SAML 2.0 IdP Metadata was returning the error and I got confused with it. Just to clear my understanding, (me being the SP) the SAML IDP Metadata link is anyway not meant to be accessible from my end, right ? Also, is there a way I can confirm that the metadata is configured correctly at both ends ? Will getting my IDP to check the SP metadata at their end help ?
Pardon my ignorance again. I feel lost, can't seem to figure out what is preventing me from logging in, as it just returns 'An error occurred' message !
Can you please help ?
ammu.n...@gmail.com
May 24, 2017, 6:52:58 PM5/24/17
to SimpleSAMLphp, peter....@univie.ac.at
My IDP says that they receive the error below:
'This SP is not a valid audience for the assertion. Candidates were [https://rest.peoplerecognition.com.au/simplesaml/module.php/saml/sp/saml2-acs.php/restsso-sp]'
I am not even sure if this is being caused by something from my end or their end. Can you please help ?
Below is the code from my authsources.php
<?php
$config = array(
// This is a authentication source which handles admin authentication.
'admin' => array(
// The default is to use core:AdminPassword, but it can be replaced with
// any authentication source.
'core:AdminPassword',
),
// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs.
'irtsso-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
//'entityID' => null,
'entityID' => 'http://adfs.irt.org.au/adfs/services/trust',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => "http://adfs.irt.org.au/adfs/services/trust",
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
// ADFS 2012R2 requires signing of the logout - the others are optional (may be overhead you don't want.)
'sign.logout' => TRUE,
'redirect.sign' => TRUE,
'assertion.encryption' => TRUE,
// We now need a certificate and key. The following command (executed on Linux usually)
// creates a self-signed cert and key, using SHA256, valid for 2 years.
// openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout my.key -out my.pem
'privatekey' => 'irt.key',
'certificate' => 'irt.pem',
// Enforce the use of SHA-256 by default.
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
),
'restsso-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
//'entityID' => null,
'entityID' => 'https://sso.rest.com.au/services/trust/',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => "https://sso.rest.com.au/services/trust/",
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
// ADFS 2012R2 requires signing of the logout - the others are optional (may be overhead you don't want.)
'sign.logout' => TRUE,
'redirect.sign' => TRUE,
'assertion.encryption' => TRUE,
// We now need a certificate and key. The following command (executed on Linux usually)
// creates a self-signed cert and key, using SHA256, valid for 2 years.
// openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout my.key -out my.pem
'privatekey' => 'rest.key',
'certificate' => 'rest.pem',
// Enforce the use of SHA-256 by default.
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
),
);
Can you please advise ?
Thanks heaps,
Ammu
ammu.n...@gmail.com
May 25, 2017, 3:11:16 AM5/25/17
to SimpleSAMLphp, peter....@univie.ac.at, jaime...@uninett.no, jaime...@protonmail.com
Hi Peter / Jaime,
Can you please confirm if the authsources.php looks ok ? I feel totally lost.
Can someone please guide me on this. All I get when I attempt to login is the message 'An error has occurred'. I have no clue how to get any more info on the error too. Can't even confirm if it is something from our end or the IDP end!!
Peter Schober
May 26, 2017, 3:00:15 AM5/26/17
to SimpleSAMLphp
* ammu.n...@gmail.com <ammu.n...@gmail.com> [2017-05-25 00:00]:
> Re: the saml-20-ip-hosted.php file.. SimpleSAML was installed by an
> ex-colleague of mine and I am not very sure how this file happened
> to be there.
It's there by default. But unless you explicitly activate the IDP
functionality it's being ignored. So make sure 'enable.saml20-idp' is
set to false in SSP's config/config.php. (I have no other explanation
for SSP looking at saml-20-ip-hosted.php other than you activating the
IDP functionality on your SP.)
> I have added the metadata from my IDP only to
> metadata/saml20-idp-remote.php. Do i need to add it to
> metadata/shib13-idp-remote.php as well.
No, ignore that.
> Attached is a screen grab of my metadata folder. can you please
> advise if I need to remove saml-20-ip-hosted.php or any other files?
No, ignore those.
> Attached is
> a screen grab of my metadata folder. can you please advise if I need to
> remove saml-20-ip-hosted.php or any other files ?
No, ignore those. (My bad for leading to believe you have to delete
files SimpleSAMLphp generates by default).
> I was just trying to figure our more about the error I was receiving
> when I attempted to login and test my SP, when I noticed this. The
> Show Metadata link under the SAML 2.0 IdP Metadata was returning the
> error and I got confused with it.
What "the error"? The one about your IDP not finding its own key pair?
You fix that my disabling the IDP functionality again.
> Just to clear my understanding, (me being the SP) the SAML IDP
> Metadata link is anyway not meant to be accessible from my end,
> right ?
I don't understand the question. Disable the IDP again in your
SimpleSAMLphp instance, and ask the MS-ADFS IDP why they generate that
error message. That's all.
> Also, is there a way I can confirm that the metadata is configured
> correctly at both ends ? Will getting my IDP to check the SP
> metadata at their end help ?
The MS-ADFS system generated an error. It is pointless to speculate
about reasons when the software will have the reason logged somewhere.
> Pardon my ignorance again. I feel lost, can't seem to figure out what is
> preventing me from logging in, as it just returns 'An error occurred'
> message !
For the n-th time: It is futile to ask anyonen else other than the
operator of the system that generated that useless generic error
message. You don't need to understand anything about SAML to
understand that part, IMO.
-peter
> I am the SP and the IDP is my client that uses ADFS.
Yes.
> Re: the saml-20-ip-hosted.php file.. SimpleSAML was installed by an
> ex-colleague of mine and I am not very sure how this file happened
> to be there.
functionality it's being ignored. So make sure 'enable.saml20-idp' is
set to false in SSP's config/config.php. (I have no other explanation
for SSP looking at saml-20-ip-hosted.php other than you activating the
IDP functionality on your SP.)
> I have added the metadata from my IDP only to
> metadata/saml20-idp-remote.php. Do i need to add it to
> metadata/shib13-idp-remote.php as well.
> Attached is a screen grab of my metadata folder. can you please
> advise if I need to remove saml-20-ip-hosted.php or any other files?
> Attached is
> a screen grab of my metadata folder. can you please advise if I need to
> remove saml-20-ip-hosted.php or any other files ?
files SimpleSAMLphp generates by default).
> I was just trying to figure our more about the error I was receiving
> when I attempted to login and test my SP, when I noticed this. The
> Show Metadata link under the SAML 2.0 IdP Metadata was returning the
> error and I got confused with it.
You fix that my disabling the IDP functionality again.
> Just to clear my understanding, (me being the SP) the SAML IDP
> Metadata link is anyway not meant to be accessible from my end,
> right ?
SimpleSAMLphp instance, and ask the MS-ADFS IDP why they generate that
error message. That's all.
> Also, is there a way I can confirm that the metadata is configured
> correctly at both ends ? Will getting my IDP to check the SP
> metadata at their end help ?
about reasons when the software will have the reason logged somewhere.
> Pardon my ignorance again. I feel lost, can't seem to figure out what is
> preventing me from logging in, as it just returns 'An error occurred'
> message !
operator of the system that generated that useless generic error
message. You don't need to understand anything about SAML to
understand that part, IMO.
-peter
Peter Schober
May 26, 2017, 3:01:04 AM5/26/17
to SimpleSAMLphp
* ammu.n...@gmail.com <ammu.n...@gmail.com> [2017-05-25 00:53]:
I'll try to look at the rest of that message later.
-peter
> My IDP says that they receive the error below:
> 'This SP is not a valid audience for the assertion. Candidates were
> [https://rest.peoplerecognition.com.au/simplesaml/module.php/saml/sp/saml2-acs.php/restsso-sp]'
Finally, an error message from the IDP!
> 'This SP is not a valid audience for the assertion. Candidates were
> [https://rest.peoplerecognition.com.au/simplesaml/module.php/saml/sp/saml2-acs.php/restsso-sp]'
I'll try to look at the rest of that message later.
-peter
Ammu Nair
May 26, 2017, 3:15:08 AM5/26/17
to simple...@googlegroups.com
Hi Peter,
Terribly sorry for annoying you to this extend..it was unintentional.
And many thanks for clarifying my questions. I will check with the IDP.
Thanks again,
Ammu
-peter
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/pjKdp3a5ics/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Warm Regards,
Ammu Nair0490 394 186
Peter Schober
May 26, 2017, 3:29:43 AM5/26/17
to SimpleSAMLphp
> My IDP says that they receive the error below:
> 'This SP is not a valid audience for the assertion. Candidates were
> [https://rest.peoplerecognition.com.au/simplesaml/module.php/saml/sp/saml2-acs.php/restsso-sp]'
>
> I am not even sure if this is being caused by something from my end or
> their end.
Do you have anything to do with "rest.peoplerecognition.com.au"?
> 'This SP is not a valid audience for the assertion. Candidates were
> [https://rest.peoplerecognition.com.au/simplesaml/module.php/saml/sp/saml2-acs.php/restsso-sp]'
>
> I am not even sure if this is being caused by something from my end or
> their end.
Is that the FQDN where your SSP instance runs?
> Below is the code from my authsources.php
I've personally never done it. Either way, I think both are misconfigured:
> // The entity ID of this SP.
> // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
> //'entityID' => null,
> 'entityID' => 'http://adfs.irt.org.au/adfs/services/trust',
So this is the formal, globally unique name for your SAML SP you want
the (any) IDP to use when referring to *your* SP?
>
> // The entity ID of the IdP this should SP should contact.
> // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
> 'idp' => "http://adfs.irt.org.au/adfs/services/trust",
This is "The entity ID of the IdP this should SP should contact."
> // The entity ID of the IdP this should SP should contact.
> // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
> 'idp' => "http://adfs.irt.org.au/adfs/services/trust",
It's basically guaranteed to be wrong to set your own SP to the same
entityID value as the IDP you want to interact with. Doing that
doesn't makes no sense whatsoever.
One is your own SP's name. The other is the IDP's name.
(And that's what it says right in your config!)
Same with the other SP you defined here:
> // The entity ID of this SP.
> // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
> //'entityID' => null,
> 'entityID' => 'https://sso.rest.com.au/services/trust/',
>
> // The entity ID of the IdP this should SP should contact.
> // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
> 'idp' => "https://sso.rest.com.au/services/trust/",
> Can you please advise ?
If no I'd suggest to wipe all this and start over from scratch,
following the fine documentation provided by this project.
(The SimpleSAMLphp documentation does not advise you to make such
nonsensical changes to your configuration.)
-peter
ammu.n...@gmail.com
May 29, 2017, 4:18:37 AM5/29/17
to SimpleSAMLphp, peter....@univie.ac.at
Hi Peter,
I have made tried to clean up the code as below:
1. I updated my authsources,php file to below:
I have made tried to clean up the code as below:
1. I updated my authsources,php file to below:
<?php
$config = array(
// This is a authentication source which handles admin authentication.
'admin' => array(
// The default is to use core:AdminPassword, but it can be replaced with
// any authentication source.
'core:AdminPassword',
),
// // An authentication source which can authenticate against both SAML 2.0
// // and Shibboleth 1.3 IdPs.
'restsso-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
//'entityID' => null,
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
// 'idp' => null,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
// ADFS 2012R2 requires signing of the logout - the others are optional (may be overhead you don't want.)
'sign.logout' => TRUE,
'redirect.sign' => TRUE,
'assertion.encryption' => TRUE,
// We now need a certificate and key. The following command (executed on Linux usually)
// creates a self-signed cert and key, using SHA256, valid for 2 years.
// openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout my.key -out my.pem
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
// Enforce the use of SHA-256 by default.
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
),
2. I have included the IDP metadata on my saml20-idp-remote.php file..
3. The SP metadata has been exchanged with the IDP.
Now when I test the SP, the link test 'Authentication Sources', takes me to the IDP, but it shows an error occurred, and does not show the area to enter the login credentials.
The IDP receives the error -
'> 'This SP is not a valid audience for the assertion. Candidates were
> [https://rest.peoplerecognition.com.au/simplesaml/module.php/saml/sp/saml2-acs.php/restsso-sp]' '
Do you have any inputs to figure out if I have missed something ?
Thanks,
Ammu
ammu.n...@gmail.com
May 31, 2017, 1:33:09 AM5/31/17
to SimpleSAMLphp, peter....@univie.ac.at
Hi Peter / Jaime,
Many thanks for your guidance and sincere apologies for annoying you. I was able to test the SP successfully from our end, the IDP is no longer getting error messages are being redirected to the application login, which is good.
However, the SSO implementation is still not working as expected. We expect that if a user is logged in to their organisational account, they should be logged in to our PHP web application, when they access it. But this is not happening.
I have attached the claim rules configured at their end. Can you please advise if there is something else we need to do, to get this to work ?
Thanks heaps,
Ammu
Many thanks for your guidance and sincere apologies for annoying you. I was able to test the SP successfully from our end, the IDP is no longer getting error messages are being redirected to the application login, which is good.
However, the SSO implementation is still not working as expected. We expect that if a user is logged in to their organisational account, they should be logged in to our PHP web application, when they access it. But this is not happening.
I have attached the claim rules configured at their end. Can you please advise if there is something else we need to do, to get this to work ?
Thanks heaps,
Ammu
Message has been deleted
Jaime Perez Crespo
May 31, 2017, 10:03:15 AM5/31/17
to simple...@googlegroups.com
Hi Ammu,
On 31 May 2017, at 07:33 AM, ammu.n...@gmail.com wrote:
> Hi Peter / Jaime,
>
> Many thanks for your guidance and sincere apologies for annoying you.
You don’t annoy us. It’s simply that we can’t help you if you don’t ask anything that we can reply to.
> I was able to test the SP successfully from our end, the IDP is no longer getting error messages are being redirected to the application login, which is good.
>
> However, the SSO implementation is still not working as expected. We expect that if a user is logged in to their organisational account, they should be logged in to our PHP web application, when they access it. But this is not happening.
Why? What do you see instead? What do the SimpleSAMLphp logs say?
> I have attached the claim rules configured at their end. Can you please advise if there is something else we need to do, to get this to work?
I can’t, unfortunately. That’s Microsoft’s own terminology and software, which I’m absolutely unfamiliar with. Maybe others have knowledge of Microsoft’s products here.
On 31 May 2017, at 07:33 AM, ammu.n...@gmail.com wrote:
> Hi Peter / Jaime,
>
> Many thanks for your guidance and sincere apologies for annoying you.
> I was able to test the SP successfully from our end, the IDP is no longer getting error messages are being redirected to the application login, which is good.
>
> However, the SSO implementation is still not working as expected. We expect that if a user is logged in to their organisational account, they should be logged in to our PHP web application, when they access it. But this is not happening.
> I have attached the claim rules configured at their end. Can you please advise if there is something else we need to do, to get this to work?
Reply all
Reply to author
Forward
0 new messages