Single sign on going to the wrong auth source

[Tahir J. Malik]

I am trying to connect with active directory using LDAP configuration in my simplesamlDP. Testing it directly from IDP through its 'Test authentication sources' page works absolutely fine but when I initiate the session from an SP, i go to the wrong source.

In authsources.php, I have an LDAP config array by the name of 'mycon-ldap'. I also have 'example-userpass' uncommented and active. The Single Sign on URL I am using is "http://XXX.mydomain.com/saml2/idp/metadata.php". When I initiate the session from SP I land on to 'example-userpass' username/password screen and my credentials don't work there. How do I make it go to 'mycon-ldap' instead? Do I need to add this name in query string?

I even tried to comment out "example-userpass" but in that case I get the following error. Please help.


Caused by: SimpleSAML_Error_Exception: You must provide an authority when using example-userpass
Backtrace:
3 /srv/www/simplesamlphp/lib/

SimpleSAML/Auth/BWC.php:50 (SimpleSAML_Auth_BWC::__construct)
2 /srv/www/simplesamlphp/lib/SimpleSAML/IdP.php:106 (SimpleSAML_IdP::__construct)
1 /srv/www/simplesamlphp/lib/SimpleSAML/IdP.php:134 (SimpleSAML_IdP::getById)
0 /srv/www/simplesamlphp/www/saml2/idp/SSOService.php:18 (N/A

[Peter Schober]

* Tahir J. Malik <malik...@gmail.com> [2015-05-11 15:22]:

> The Single Sign on URL I am using is
> "http://XXX.mydomain.com/saml2/idp/metadata.php".

Obviously (?) this is not an SSO URL of the IDP, it's the endpoint
where a SimpleSAMLphp IDP will produce SAML metadata describing
itself.
Also note that if you've set "admin.protectmetadata = true" in your
config/config.php accessing URI-TO-SSP/saml2/idp/metadata.php will
require authenticating with the "admin" authsource.
-peter

[Tahir J. Malik]

My bad. I meant to say that I am using this URL

http://XXX.mydomain.com/saml2/idp/SSOService.php

The other one is obviously meta data URL. Do I need to pass on additional parameter with the above URL?

-peter

--
You received this message because you are subscribed to a topic in the Google Groups "simpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/stSCniHYv8M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

--

Regards,
Tahir J. Malik

[Tahir J. Malik]

Also, both these settings are set to false in my config file

'admin.protectindexpage' => false,
    'admin.protectmetadata' => false,

[Peter Schober]

* Tahir J. Malik <malik...@gmail.com> [2015-05-11 15:22]:

> When I initiate the session from SP I land on to 'example-userpass'
> username/password screen and my credentials don't work there. How do
> I make it go to 'mycon-ldap' instead? Do I need to add this name in
> query string?

Be sure to comment out any auth sources you don't intend on using, for
security reasons alone.

> I even tried to comment out "example-userpass" but in that case I get the
> following error. Please help.
>
> Caused by: SimpleSAML_Error_Exception: You must provide an authority when
> using example-userpass

SimpleSAMLphp generates protocol endpoints that encode the name of
the authsource into the Location URL. So you'd have to generate and
communicate different SAML metadata to other end to make requests use
your other authsource.
(And yes, that bit me before, too, when I thought I could simply
change an internal configuration name in authsources.php.)
-peter

[Tahir J. Malik]

Thanks Peter and sorry to be a pest.

I don't completely understand this piece.

SimpleSAMLphp generates protocol endpoints that encode the name of
the authsource into the Location URL. So you'd have to generate and
communicate different SAML metadata to other end to make requests use
your other authsource.
(And yes, that bit me before, too, when I thought I could simply
change an internal configuration name in authsources.php.)

Is there any documentation on how to generate different meta data for a different auth source? I am simply extracting meta data from Federation tab > SAML 2.0 IdP Metadata. In that meta data file, there's not mention of authsource that I want to use.

-peter

--
You received this message because you are subscribed to a topic in the Google Groups "simpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/stSCniHYv8M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Tahir J. Malik]

Hi Peter,

I am using simplesamlphp on service provider side as well. Can you guide which parameter in the IDP's metadata inside simplesamlphp SP defines the authsource?

To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.

To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Peter Schober]

* Tahir J. Malik <malik...@gmail.com> [2015-05-20 13:58]:

> I am using simplesamlphp on service provider side as well. Can you guide
> which parameter in the IDP's metadata inside simplesamlphp SP defines the
> authsource?

The name of the authsource will be encoded into protocol endpoints, so
just looking for the string name of the authsource should be all
that's needed.
But why not simply generate metadata for the IDP and the SP according
to the documentation and then it will be correct?
-peter