Strange error I haven't seen before
821 views
Skip to first unread message
JDS
Sep 14, 2012, 4:12:17 PM9/14/12
to simple...@googlegroups.com
Howdy, folks. I'm seeing the following error I've not seen before:
Sep 14 13:15:33 simplesamlphp ERROR [86393c5dc8] /path/to/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp - UserError: ErrCode:UNHANDLEDEXCEPTION: Requester: Unknown AssertionConsumerServiceURL http://SITE/path/to/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp
This only happens for one user (as reported so far, at least). I could not reproduce it.
Can anyone shed any light for me?
Thanks,
JDS
Olav Morken
Sep 28, 2012, 5:07:48 AM9/28/12
to simple...@googlegroups.com
On Fri, Sep 14, 2012 at 13:12:17 -0700, JDS wrote:
> Howdy, folks. I'm seeing the following error I've not seen before:
>
> Sep 14 13:15:33 simplesamlphp ERROR
> [86393c5dc8] /path/to/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp -
> UserError: ErrCode:UNHANDLEDEXCEPTION: Requester: Unknown
> AssertionConsumerServiceURL
> http://SITE/path/to/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp<http://site/path/to/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp>
> Howdy, folks. I'm seeing the following error I've not seen before:
>
> Sep 14 13:15:33 simplesamlphp ERROR
> [86393c5dc8] /path/to/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/default-sp -
> UserError: ErrCode:UNHANDLEDEXCEPTION: Requester: Unknown
> AssertionConsumerServiceURL
>
> This only happens for one user (as reported so far, at least). I could not
> reproduce it.
>
> Can anyone shed any light for me?
My guess is that the metadata you added to the IdP uses https for the
> This only happens for one user (as reported so far, at least). I could not
> reproduce it.
>
> Can anyone shed any light for me?
AssertionConsumerService (as it should). However, when sending an
authentication request, simpleSAMLphp has to guess its own
AssertionConsumerService URL. If the user is currently accessing the
site on http instead of https, it will typically assume that the
AssertionConsumerService is on http.
The result is that the AssertionConsumerService URL in the
authentication request does not match the one configured in the
metadata on the IdP. IdPs mostly just ignore the
AssertionConsumerService in the request in that case, but it looks like
your IdP is returning an error instead.
To fix this, either set 'baseurlpath' to an absolute URL containing
https (e.g. "https://sp.example.org/simplesaml/"), or change your
entire site to use https.
(I mostly prefer the latter solution -- as soon as you have a site
where users are logged in, you need to use https to be certain that no
one can hijack the users session cookies. In that case, you can
configure the web server to redirect all http requests to https, and
configure PHP and simpleSAMLphp to use secure session cookies.)
Best regards,
Olav Morken
UNINETT / Feide
Reply all
Reply to author
Forward
0 new messages