Ugly workaround for "SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP '...' because it isn't a valid IdP for this SP"
5,573 views
Skip to first unread message
Peter Wolfenden
Apr 4, 2012, 5:56:35 PM4/4/12
to simpleSAMLphp
I installed SimpleSAMLPHP (version 1.8.2) for the first time in my DEV
environment
this AM, and ran into an issue. I worked around this issue with a
patch, but I
have to believe there is a better approach - so I'm posting the
details of
my scenario here in the hope that someone with deeper knowledge &
experience
can make a helpful suggestion:
I configured one of my DEV hosts as an Identity Provider with example-
userpass
(as in http://simplesamlphp.org/docs/1.8/simplesamlphp-idp#section_3)
and another
DEV host as a Service Provider.
For various reasons (having to do with maintaining an orderly DEV
environment) I
configured "simplesaml" to connect on high ports, like this:
https://idp.my.domain:34443/simplesaml/
https://sp.my.domain:2443/simplesaml/
Then I made the following tweaks to the default 1.8.2 tarball on the
IdP installation:
- MODIFIED FILE: simplesamlphp/config/config.php, changed:
< 'secretsalt' => 'defaultsecretsalt',
---
> 'secretsalt' => '0oih0nduvekcpzbdcwwcup48r0eu4bs5',
< 'enable.saml20-idp' => false,
---
> 'enable.saml20-idp' => true,
- MODIFIED FILE: metadata/saml20-idp-remote.php, added:
$metadata['https://idp.my.domain:34443'] = array(
'name' => array(
'en' => 'QWEB DEV Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
- NEW FILE: php/metadata/saml20-sp-hosted.php, contains:
$metadata['https://sp.my.domain'] = array (
'AssertionConsumerService' => 'https://sp.my.domain:2443/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://sp.my.domain:2443/simplesaml/
module.php/saml/sp/saml2-logout.php/default-sp',
);
- NEW (EMPTY) FILE: modules/exampleauth/enable
And I made the following tweaks to the default 1.8.2 tarball on the SP
installation:
- MODIFIED FILE: simplesamlphp/config/config.php, changed:
< 'secretsalt' => 'defaultsecretsalt',
---
> 'secretsalt' => '0oih0nduvekcpzbdcwwcup48r0eu4bs5',
< 'enable.saml20-idp' => false,
---
> 'enable.saml20-idp' => true,
- MODIFIED FILE: metadata/saml20-idp-remote.php, added:
$metadata['https://idp.my.domain:34443'] = array(
'name' => array(
'en' => 'My Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
Now, browsing the "Test Authentication Sources" tab on the IdP I saw
that the
example-userpass credentials worked as advertised when I click on
"default-sp":
https://idp.my.domain:34443/simplesaml/module.php/core/authenticate.php
And browsing the "Test Authentication Sources" tab on the SP I saw the
"default-sp"
link here:
https://sp.my.domain:2443/simplesaml/module.php/core/authenticate.php
When I clicedk on it I was redirected (as expected) to idp.my.domain:
34443,
but when I provided the student:studentpass credentials and click the
Login
button I got the following (unexpected) Exception:
SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP 'https://
idp.my.domain:34443/simplesaml/saml2/idp/metadata.php' because it
isn't a valid IdP for this SP. in /var/simplesamlphp-1.8.2/modules/
saml/lib/Auth/Source/SP.php on line 108 Call Stack: 0.0005 198896 1.
{main}() /var/simplesamlphp-1.8.2/www/module.php:0 0.0073 1576352 2.
require('/var/simplesamlphp-1.8.2/modules/saml/www/sp/saml2-acs.php') /
var/simplesamlphp-1.8.2/www/module.php:135 0.0268 4748288 3.
sspmod_saml_Auth_Source_SP->getIdPMetadata() /var/simplesamlphp-1.8.2/
modules/saml/www/sp/saml2-acs.php:47 Warning: Cannot modify header
information - headers already sent by (output started at /var/
simplesamlphp-1.8.2/modules/saml/lib/Auth/Source/SP.php:108) in /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Error/Error.php on line 148 Call
Stack: 0.0005 198896 1. {main}() /var/simplesamlphp-1.8.2/www/
module.php:0 0.0275 4797208 2. SimpleSAML_Error_Error->show() /var/
simplesamlphp-1.8.2/www/module.php:181 0.0275 4797208 3.
SimpleSAML_Error_Error->setHTTPCode() /var/simplesamlphp-1.8.2/lib/
SimpleSAML/Error/Error.php:204 0.0275 4797440 4. header() /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Error/Error.php:148
The contents of the "metadata" for the IdP look fine to me:
https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php
The reason for the rejection appears to be that this "metadata" URL
fails
to match the identifier for the IdP.
My workaround is the following patch to modules/saml/lib/Auth/Source/
SP.php
on sp.my.domain:
107,109c107,118
< if ($this->idp !== NULL && $this->idp !== $entityId) {
< throw new SimpleSAML_Error_Exception('Cannot
retrieve metadata for IdP ' . var_export($entityId, TRUE) .
< ' because it isn\'t a valid IdP for
this SP.');
---
> // I had to use preg_match() to replace test for string equality,
> // here, because the "metadata" URL for a remote IdP was being
> // rejected as not exactly matching the IdP identifier (a shorter
> // URL). I could not figure out a way around this by configuring
> // another IdP for the metadata URL, so I decided to exploit the
> // fact that the IdP string is the "root" of the "metadata" URL.
> // This hack will need to be refined if and when we encounter cases
> // where this is not true.
> // Peter Wolfenen <p...@qualys.com> 2012-04-04
> if (($this->idp) !== NULL && !preg_match('#^' . $this->idp . '#', $entityId)) {
> $extra = ' (this->idp=[' . var_export($this->idp, true) . '])';
> throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' . var_export($entityId, TRUE) . ' because it isn\'t a valid IdP for this SP.' . $extra);
With this patch in place, the auth (with redirection from SP to IdP
and back
to SP again) works as expected.
But there must be a better way, surely!
Can anyone suggest a better approach?
Thanks in advance for your help!
Cheers,
Peter Wolfenden
environment
this AM, and ran into an issue. I worked around this issue with a
patch, but I
have to believe there is a better approach - so I'm posting the
details of
my scenario here in the hope that someone with deeper knowledge &
experience
can make a helpful suggestion:
I configured one of my DEV hosts as an Identity Provider with example-
userpass
(as in http://simplesamlphp.org/docs/1.8/simplesamlphp-idp#section_3)
and another
DEV host as a Service Provider.
For various reasons (having to do with maintaining an orderly DEV
environment) I
configured "simplesaml" to connect on high ports, like this:
https://idp.my.domain:34443/simplesaml/
https://sp.my.domain:2443/simplesaml/
Then I made the following tweaks to the default 1.8.2 tarball on the
IdP installation:
- MODIFIED FILE: simplesamlphp/config/config.php, changed:
< 'secretsalt' => 'defaultsecretsalt',
---
> 'secretsalt' => '0oih0nduvekcpzbdcwwcup48r0eu4bs5',
< 'enable.saml20-idp' => false,
---
> 'enable.saml20-idp' => true,
- MODIFIED FILE: metadata/saml20-idp-remote.php, added:
$metadata['https://idp.my.domain:34443'] = array(
'name' => array(
'en' => 'QWEB DEV Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
- NEW FILE: php/metadata/saml20-sp-hosted.php, contains:
$metadata['https://sp.my.domain'] = array (
'AssertionConsumerService' => 'https://sp.my.domain:2443/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://sp.my.domain:2443/simplesaml/
module.php/saml/sp/saml2-logout.php/default-sp',
);
- NEW (EMPTY) FILE: modules/exampleauth/enable
And I made the following tweaks to the default 1.8.2 tarball on the SP
installation:
- MODIFIED FILE: simplesamlphp/config/config.php, changed:
< 'secretsalt' => 'defaultsecretsalt',
---
> 'secretsalt' => '0oih0nduvekcpzbdcwwcup48r0eu4bs5',
< 'enable.saml20-idp' => false,
---
> 'enable.saml20-idp' => true,
- MODIFIED FILE: metadata/saml20-idp-remote.php, added:
$metadata['https://idp.my.domain:34443'] = array(
'name' => array(
'en' => 'My Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
Now, browsing the "Test Authentication Sources" tab on the IdP I saw
that the
example-userpass credentials worked as advertised when I click on
"default-sp":
https://idp.my.domain:34443/simplesaml/module.php/core/authenticate.php
And browsing the "Test Authentication Sources" tab on the SP I saw the
"default-sp"
link here:
https://sp.my.domain:2443/simplesaml/module.php/core/authenticate.php
When I clicedk on it I was redirected (as expected) to idp.my.domain:
34443,
but when I provided the student:studentpass credentials and click the
Login
button I got the following (unexpected) Exception:
SimpleSAML_Error_Exception: Cannot retrieve metadata for IdP 'https://
idp.my.domain:34443/simplesaml/saml2/idp/metadata.php' because it
isn't a valid IdP for this SP. in /var/simplesamlphp-1.8.2/modules/
saml/lib/Auth/Source/SP.php on line 108 Call Stack: 0.0005 198896 1.
{main}() /var/simplesamlphp-1.8.2/www/module.php:0 0.0073 1576352 2.
require('/var/simplesamlphp-1.8.2/modules/saml/www/sp/saml2-acs.php') /
var/simplesamlphp-1.8.2/www/module.php:135 0.0268 4748288 3.
sspmod_saml_Auth_Source_SP->getIdPMetadata() /var/simplesamlphp-1.8.2/
modules/saml/www/sp/saml2-acs.php:47 Warning: Cannot modify header
information - headers already sent by (output started at /var/
simplesamlphp-1.8.2/modules/saml/lib/Auth/Source/SP.php:108) in /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Error/Error.php on line 148 Call
Stack: 0.0005 198896 1. {main}() /var/simplesamlphp-1.8.2/www/
module.php:0 0.0275 4797208 2. SimpleSAML_Error_Error->show() /var/
simplesamlphp-1.8.2/www/module.php:181 0.0275 4797208 3.
SimpleSAML_Error_Error->setHTTPCode() /var/simplesamlphp-1.8.2/lib/
SimpleSAML/Error/Error.php:204 0.0275 4797440 4. header() /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Error/Error.php:148
The contents of the "metadata" for the IdP look fine to me:
https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php
The reason for the rejection appears to be that this "metadata" URL
fails
to match the identifier for the IdP.
My workaround is the following patch to modules/saml/lib/Auth/Source/
SP.php
on sp.my.domain:
107,109c107,118
< if ($this->idp !== NULL && $this->idp !== $entityId) {
< throw new SimpleSAML_Error_Exception('Cannot
retrieve metadata for IdP ' . var_export($entityId, TRUE) .
< ' because it isn\'t a valid IdP for
this SP.');
---
> // I had to use preg_match() to replace test for string equality,
> // here, because the "metadata" URL for a remote IdP was being
> // rejected as not exactly matching the IdP identifier (a shorter
> // URL). I could not figure out a way around this by configuring
> // another IdP for the metadata URL, so I decided to exploit the
> // fact that the IdP string is the "root" of the "metadata" URL.
> // This hack will need to be refined if and when we encounter cases
> // where this is not true.
> // Peter Wolfenen <p...@qualys.com> 2012-04-04
> if (($this->idp) !== NULL && !preg_match('#^' . $this->idp . '#', $entityId)) {
> $extra = ' (this->idp=[' . var_export($this->idp, true) . '])';
> throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' . var_export($entityId, TRUE) . ' because it isn\'t a valid IdP for this SP.' . $extra);
With this patch in place, the auth (with redirection from SP to IdP
and back
to SP again) works as expected.
But there must be a better way, surely!
Can anyone suggest a better approach?
Thanks in advance for your help!
Cheers,
Peter Wolfenden
comel
Apr 6, 2012, 3:29:18 AM4/6/12
to simple...@googlegroups.com
On IdP you should set metadata/saml20-idp-hosted.php not saml20-idp-remote.php.
- NEW FILE: php/metadata/saml20-sp-hosted.php, contains:
On IdP you should set metadata/saml20-sp-remote.php.
And I made the following tweaks to the default 1.8.2 tarball on the SP
installation:
- MODIFIED FILE: simplesamlphp/config/config.php, changed:
< 'secretsalt' => 'defaultsecretsalt',
---
> 'secretsalt' => '0oih0nduvekcpzbdcwwcup48r0eu4bs5',
It's proposed to use different secretsalt on every SSP installation...
< 'enable.saml20-idp' => false,
---
> 'enable.saml20-idp' => true,
On SP side IdP should not be enabled ('enable.saml20-idp' => false).
- MODIFIED FILE: metadata/saml20-idp-remote.php, added:
$metadata['https://idp.my.domain:34443'] = array(
Also, use config/authsources.php for SP definition, because metadata/saml20-sp-hosted.php is deprecated.
comel
Apr 6, 2012, 3:40:06 AM4/6/12
to simple...@googlegroups.com
Peter Wolfenden
Apr 6, 2012, 4:08:42 PM4/6/12
to simpleSAMLphp
Comel,
Thank you very much for taking the time to read my question and
prepare a reply with suggestions.
Unfortunately the recommended changes do not seem to resolve my issue.
As per your message, I made the following changes in idp.my.domain
SimpleSAMLphp configuration:
- Discard metadata/saml20-idp-remote.php
- Modify medadata/saml20-idp-hosted.php, add:
"default-sp"
from "Test Authentication Sources", I get a form with an empty
picklist.
It is as though "default-sp" were no longer configured locally on
idp.my.domain,
and/or this record in metadata/saml20-sp-remote.php were no longer
recognized:
$metadata['https://v-web1.dev.qualys.com'] = array (
'AssertionConsumerService' => 'https://v-web1.dev.qualys.com:2443/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://v-web1.dev.qualys.com:2443/
simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
);
Still, this is not a showstopper - I just want auth to work from the
SP side.
So I made the following changes to my SimpleSAMLphp configuration on
sp.my.domain:
- Modified config/config.php to disable saml20-idp:
'enable.saml20-idp' => false
- Configured this record in metadata/saml20-idp-remote.php:
$metadata['https://idp.my.domain:34443/simplesaml/saml2/idp/
metadata.php'] = array(
> Also, use config/authsources.php for SP definition, because
> metadata/saml20-sp-hosted.php is deprecated.
Neither metadata/saml20-sp-hosted.php nor config/authsources.php exist
anywhere in my SP configuration,
and I see nothing like "authsources" in the templates/ directory.
Unfortunately, when I navigate to "Test Authentication Sources" in the
admin UI on sp.my.domain
and select "default-sp" I get the following Exception:
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('ENTITYID' =>
'\'https://idp.my.domain:34443\'') in /var/simplesamlphp-1.8.2/lib/
SimpleSAML/Metadata/MetaDataStorageHandler.php on line 293
This *is* a showstopper, and the only way I can work around it is by:
1) patching the file modules/saml/lib/Auth/Source/SP.php as per my
original message, and
2) add a new record to metadata/saml20-idp-remote.php with key
'https://idp.my.domain:34443'
(and attributes just like the one already configured for
'https://v-web5.dev.qualys.com:34443/simplesaml/saml2/idp/
metadata.php').
Again, this doesn't seem right - the configs seem redundant and the
patch seems
potentially dangerous.
Cheers, and thanks in advance for any further help or advice you can
provide!
Peter
Thank you very much for taking the time to read my question and
prepare a reply with suggestions.
Unfortunately the recommended changes do not seem to resolve my issue.
As per your message, I made the following changes in idp.my.domain
SimpleSAMLphp configuration:
- Discard metadata/saml20-idp-remote.php
- Modify medadata/saml20-idp-hosted.php, add:
'name' => array(
'en' => 'My Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
Unfortunately, when I go to the "admin UI" on idp.my.domain and select
'en' => 'My Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
"default-sp"
from "Test Authentication Sources", I get a form with an empty
picklist.
It is as though "default-sp" were no longer configured locally on
idp.my.domain,
and/or this record in metadata/saml20-sp-remote.php were no longer
recognized:
$metadata['https://v-web1.dev.qualys.com'] = array (
'AssertionConsumerService' => 'https://v-web1.dev.qualys.com:2443/
simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
'SingleLogoutService' => 'https://v-web1.dev.qualys.com:2443/
simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
);
Still, this is not a showstopper - I just want auth to work from the
SP side.
So I made the following changes to my SimpleSAMLphp configuration on
sp.my.domain:
- Modified config/config.php to disable saml20-idp:
'enable.saml20-idp' => false
- Configured this record in metadata/saml20-idp-remote.php:
$metadata['https://idp.my.domain:34443/simplesaml/saml2/idp/
metadata.php'] = array(
'name' => array(
'en' => 'QWEB DEV Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/
simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/
simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
I'm not sure what is meant by:
'en' => 'QWEB DEV Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/
simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/
simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
> Also, use config/authsources.php for SP definition, because
> metadata/saml20-sp-hosted.php is deprecated.
anywhere in my SP configuration,
and I see nothing like "authsources" in the templates/ directory.
Unfortunately, when I navigate to "Test Authentication Sources" in the
admin UI on sp.my.domain
and select "default-sp" I get the following Exception:
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('ENTITYID' =>
'\'https://idp.my.domain:34443\'') in /var/simplesamlphp-1.8.2/lib/
SimpleSAML/Metadata/MetaDataStorageHandler.php on line 293
This *is* a showstopper, and the only way I can work around it is by:
1) patching the file modules/saml/lib/Auth/Source/SP.php as per my
original message, and
2) add a new record to metadata/saml20-idp-remote.php with key
'https://idp.my.domain:34443'
(and attributes just like the one already configured for
'https://v-web5.dev.qualys.com:34443/simplesaml/saml2/idp/
metadata.php').
Again, this doesn't seem right - the configs seem redundant and the
patch seems
potentially dangerous.
Cheers, and thanks in advance for any further help or advice you can
provide!
Peter
comel
Apr 9, 2012, 4:25:52 AM4/9/12
to simple...@googlegroups.com
On Friday, April 6, 2012 10:08:42 PM UTC+2, Peter Wolfenden wrote:
Comel,
Thank you very much for taking the time to read my question and
prepare a reply with suggestions.
Unfortunately the recommended changes do not seem to resolve my issue.
As per your message, I made the following changes in idp.my.domain
SimpleSAMLphp configuration:
- Discard metadata/saml20-idp-remote.php
- Modify medadata/saml20-idp-hosted.php, add:
$metadata['https://idp.my.domain:34443'] = array(
'name' => array(
'en' => 'My Test Server'
),
'description' => 'Login with test credentials.',
'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/
saml2/idp/SingleLogoutService.php',
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:
13:A2:26:3D:37:97:1D:A1:F9'
);
This is incorrect, see http://simplesamlphp.org/docs/1.8/simplesamlphp-idp#section_4.
Are you using SSP version 1.8.2 http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.2.tar.gz? Then you have config-templates/authsources.php and config/authsources.php, see http://simplesamlphp.org/docs/1.8/simplesamlphp-sp.
Unfortunately, when I navigate to "Test Authentication Sources" in the
admin UI on sp.my.domain
and select "default-sp" I get the following Exception:
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('ENTITYID' =>
'\'https://idp.my.domain:34443\'') in /var/simplesamlphp-1.8.2/lib/
SimpleSAML/Metadata/MetaDataStorageHandler.php on line 293
In confing/authsources.php under default-sp, add idp => 'https://idp.my.domain:34443/simplesaml/saml2/idp/
metadata.php', see http://simplesamlphp.org/docs/1.8/simplesamlphp-sp#section_3. Generally, just follow documentation on http://simplesamlphp.org/docs/1.8/ and you should not have problems.
Peter Wolfenden
Apr 13, 2012, 3:50:36 PM4/13/12
to simpleSAMLphp
Thanks again, Comel - I appreciate your help.
I do indeed have the distribution tarball for 1.8.2, and I have
indeed been trying to follow the documentation for 1.8.
I'll try to narrow down the source of my trouble by focusing first on
my IdP, and the minimal set of changes required to make it work as
expected:
Starting over with a clean tarball in /var/, here's how I configured
my IdP (on idp.my.domain:34443):
1) Modify config/config.php to set my preferred admin credentials, set
the secret salt, and set 'enable.saml20-idp' => true.
2) touch modules/exampleauth/enable
3) cp modules/sanitycheck/config-templates/config-sanitycheck.php
config/
4) Modify config/authsources.php to uncomment 'example-userpass' and
tweak the 'default-sp' entry as per your last comment on April 9th
(which must have been munged somehow by a text formatter to insert
lots of angle brackets?)
'idp' => 'https://v-web5.dev.qualys.com:34443/simplesaml/saml2/
idp/metadata.php',
(note that this time, I did not touch metadata/saml20-idp-hosted.php
at all)
Now, when I navigate to https://idp.my.domain:34443/simplesaml/module.php/core/authenticate.php
and follow the "default-sp" link I get errors like this:
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('ENTITYID' =>
'\'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php\'')
Call Stack
# Time Memory Function Location
1 0.0004 191368 {main}( ) ../module.php:0
2 0.0059 1541808 require( '/var/simplesamlphp-1.8.2/modules/core/www/
authenticate.php' ) ../module.php:135
3 0.0100 2388464 SimpleSAML_Auth_Simple->login( ) ../authenticate.php:
45
4 0.0106 2479632 SimpleSAML_Auth_Default::initLogin( ) ../Simple.php:
127
5 0.0159 3225504 SimpleSAML_Auth_State::throwException( ) ../
Default.php:60
6 0.0171 3249072 SimpleSAML_Utilities::redirect( ) ../State.php:248
7 0.0172 3252080 header ( ) ../Utilities.php:534
Please advise, thanks!
Peter
I do indeed have the distribution tarball for 1.8.2, and I have
indeed been trying to follow the documentation for 1.8.
I'll try to narrow down the source of my trouble by focusing first on
my IdP, and the minimal set of changes required to make it work as
expected:
Starting over with a clean tarball in /var/, here's how I configured
my IdP (on idp.my.domain:34443):
1) Modify config/config.php to set my preferred admin credentials, set
the secret salt, and set 'enable.saml20-idp' => true.
2) touch modules/exampleauth/enable
3) cp modules/sanitycheck/config-templates/config-sanitycheck.php
config/
4) Modify config/authsources.php to uncomment 'example-userpass' and
tweak the 'default-sp' entry as per your last comment on April 9th
(which must have been munged somehow by a text formatter to insert
lots of angle brackets?)
'idp' => 'https://v-web5.dev.qualys.com:34443/simplesaml/saml2/
idp/metadata.php',
(note that this time, I did not touch metadata/saml20-idp-hosted.php
at all)
Now, when I navigate to https://idp.my.domain:34443/simplesaml/module.php/core/authenticate.php
and follow the "default-sp" link I get errors like this:
SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('ENTITYID' =>
'\'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php\'')
in /var/simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/
MetaDataStorageHandler.php on line 293
And the call stack looks like this:
MetaDataStorageHandler.php on line 293
Call Stack
# Time Memory Function Location
1 0.0004 191368 {main}( ) ../module.php:0
2 0.0059 1541808 require( '/var/simplesamlphp-1.8.2/modules/core/www/
authenticate.php' ) ../module.php:135
3 0.0100 2388464 SimpleSAML_Auth_Simple->login( ) ../authenticate.php:
45
4 0.0106 2479632 SimpleSAML_Auth_Default::initLogin( ) ../Simple.php:
127
5 0.0159 3225504 SimpleSAML_Auth_State::throwException( ) ../
Default.php:60
6 0.0171 3249072 SimpleSAML_Utilities::redirect( ) ../State.php:248
7 0.0172 3252080 header ( ) ../Utilities.php:534
Please advise, thanks!
Peter
Peter Wolfenden
Apr 13, 2012, 4:01:31 PM4/13/12
to simpleSAMLphp
It's probably worth remarking that I also see an Exception when I
navigate to the "Federation" page here:
https://idp.my.domain:34443/simplesaml/module.php/core/frontpage_federation.php
But the "Show metadata" link for "SAML 2.0 IdP Metadata" looks fine:
https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php?output=xhtml
and shows XML which was presumably retrieved properly from this
metadata URL (the one configured in config/authsources.php):
https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php
The Exception from frontpage_federation.php looks like this:
Exception: Could not find any default metadata entities in set [saml20-
sp-hosted] for host [idp.my.domain : idp.my.domain/simplesaml] in /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
on line 230
Thanks again for your help,
Peter
On Apr 13, 12:50 pm, Peter Wolfenden <pwolfen...@qualys.com> wrote:
> Thanks again, Comel - I appreciate your help.
>
> I do indeed have the distribution tarball for 1.8.2, and I have
> indeed been trying to follow the documentation for 1.8.
>
> I'll try to narrow down the source of my trouble by focusing first on
> my IdP, and the minimal set of changes required to make it work as
> expected:
>
> Starting over with a clean tarball in /var/, here's how I configured
> my IdP (on idp.my.domain:34443):
>
> 1) Modify config/config.php to set my preferred admin credentials, set
> the secret salt, and set 'enable.saml20-idp' => true.
> 2) touch modules/exampleauth/enable
> 3) cp modules/sanitycheck/config-templates/config-sanitycheck.php
> config/
> 4) Modify config/authsources.php to uncomment 'example-userpass' and
> tweak the 'default-sp' entry as per your last comment on April 9th
> (which must have been munged somehow by a text formatter to insert
> lots of angle brackets?)
> 'idp' => 'https://v-web5.dev.qualys.com:34443/simplesaml/saml2/
> idp/metadata.php',
>
> (note that this time, I did not touch metadata/saml20-idp-hosted.php
> at all)
>
> Now, when I navigate tohttps://idp.my.domain:34443/simplesaml/module.php/core/authenticate.php
navigate to the "Federation" page here:
https://idp.my.domain:34443/simplesaml/module.php/core/frontpage_federation.php
But the "Show metadata" link for "SAML 2.0 IdP Metadata" looks fine:
https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php?output=xhtml
and shows XML which was presumably retrieved properly from this
metadata URL (the one configured in config/authsources.php):
https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php
The Exception from frontpage_federation.php looks like this:
Exception: Could not find any default metadata entities in set [saml20-
sp-hosted] for host [idp.my.domain : idp.my.domain/simplesaml] in /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
on line 230
Thanks again for your help,
Peter
On Apr 13, 12:50 pm, Peter Wolfenden <pwolfen...@qualys.com> wrote:
> Thanks again, Comel - I appreciate your help.
>
> I do indeed have the distribution tarball for 1.8.2, and I have
> indeed been trying to follow the documentation for 1.8.
>
> I'll try to narrow down the source of my trouble by focusing first on
> my IdP, and the minimal set of changes required to make it work as
> expected:
>
> Starting over with a clean tarball in /var/, here's how I configured
> my IdP (on idp.my.domain:34443):
>
> 1) Modify config/config.php to set my preferred admin credentials, set
> the secret salt, and set 'enable.saml20-idp' => true.
> 2) touch modules/exampleauth/enable
> 3) cp modules/sanitycheck/config-templates/config-sanitycheck.php
> config/
> 4) Modify config/authsources.php to uncomment 'example-userpass' and
> tweak the 'default-sp' entry as per your last comment on April 9th
> (which must have been munged somehow by a text formatter to insert
> lots of angle brackets?)
> 'idp' => 'https://v-web5.dev.qualys.com:34443/simplesaml/saml2/
> idp/metadata.php',
>
> (note that this time, I did not touch metadata/saml20-idp-hosted.php
> at all)
>
Peter Wolfenden
Apr 13, 2012, 4:37:02 PM4/13/12
to simpleSAMLphp
One last additional remark for today:
If I roll back the 'default-sp' changes to config/authsources.php on
my IdP (step 4) and again uncomment 'example-userpass', I get the
(expected when default-sp is not set, as per documentation) pick-list
of identity providers when following the link for 'default-sp' from
the "Test authentication sources" page (https://idp.my.domain:34443/
simplesaml/module.php/core/authenticate.php), with no PHP errors or
exceptions.
But I still get the same Exception when I navigate to the "Federation"
page (https://idp.my.domain:34443/simplesaml/module.php/core/
frontpage_federation.php)
Exception: Could not find any default metadata entities in set [saml20-
sp-hosted] for host [idp.my.domain : idp.my.domain/simplesaml] in /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
on line 230
I would not expect such generic configs for an IdP to cause Exceptions
when browsing the admin UI.
Also, I'm also not sure why (on the Federation page) I even see an
item called "SAML 2.0 SP Metadata" with:
Entity ID: https://idp.my.domain:34443/simplesaml/module.php/saml/sp/metadata.php/default-sp
default-sp
[ Show metadata ] (link looks OK, shows XML from the above URL)
Cheers,
Peter
On Apr 13, 1:01 pm, Peter Wolfenden <pwolfen...@qualys.com> wrote:
> It's probably worth remarking that I also see an Exception when I
> navigate to the "Federation" page here:
>
> https://idp.my.domain:34443/simplesaml/module.php/core/frontpage_fede...
If I roll back the 'default-sp' changes to config/authsources.php on
my IdP (step 4) and again uncomment 'example-userpass', I get the
(expected when default-sp is not set, as per documentation) pick-list
of identity providers when following the link for 'default-sp' from
the "Test authentication sources" page (https://idp.my.domain:34443/
simplesaml/module.php/core/authenticate.php), with no PHP errors or
exceptions.
But I still get the same Exception when I navigate to the "Federation"
page (https://idp.my.domain:34443/simplesaml/module.php/core/
frontpage_federation.php)
Exception: Could not find any default metadata entities in set [saml20-
sp-hosted] for host [idp.my.domain : idp.my.domain/simplesaml] in /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
on line 230
when browsing the admin UI.
Also, I'm also not sure why (on the Federation page) I even see an
item called "SAML 2.0 SP Metadata" with:
Entity ID: https://idp.my.domain:34443/simplesaml/module.php/saml/sp/metadata.php/default-sp
default-sp
[ Show metadata ] (link looks OK, shows XML from the above URL)
Cheers,
Peter
On Apr 13, 1:01 pm, Peter Wolfenden <pwolfen...@qualys.com> wrote:
> It's probably worth remarking that I also see an Exception when I
> navigate to the "Federation" page here:
>
>
> But the "Show metadata" link for "SAML 2.0 IdP Metadata" looks fine:
>
> https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php?output=...
> But the "Show metadata" link for "SAML 2.0 IdP Metadata" looks fine:
>
Olav Morken
Apr 16, 2012, 2:43:57 AM4/16/12
to simple...@googlegroups.com
On Fri, Apr 13, 2012 at 13:37:02 -0700, Peter Wolfenden wrote:
> One last additional remark for today:
>
> If I roll back the 'default-sp' changes to config/authsources.php on
> my IdP (step 4) and again uncomment 'example-userpass', I get the
> (expected when default-sp is not set, as per documentation) pick-list
> of identity providers when following the link for 'default-sp' from
> the "Test authentication sources" page (https://idp.my.domain:34443/
> simplesaml/module.php/core/authenticate.php), with no PHP errors or
> exceptions.
> One last additional remark for today:
>
> If I roll back the 'default-sp' changes to config/authsources.php on
> my IdP (step 4) and again uncomment 'example-userpass', I get the
> (expected when default-sp is not set, as per documentation) pick-list
> of identity providers when following the link for 'default-sp' from
> the "Test authentication sources" page (https://idp.my.domain:34443/
> simplesaml/module.php/core/authenticate.php), with no PHP errors or
> exceptions.
Are you sharing the config between the IdP and SP hostnames? Generally,
I would expect you to test the SP from the SP hostname
> But I still get the same Exception when I navigate to the "Federation"
> page (https://idp.my.domain:34443/simplesaml/module.php/core/
> frontpage_federation.php)
>
> Exception: Could not find any default metadata entities in set [saml20-
> sp-hosted] for host [idp.my.domain : idp.my.domain/simplesaml] in /var/
> simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
> on line 230
Do you have a stack trace for this exception?
> I would not expect such generic configs for an IdP to cause Exceptions
> when browsing the admin UI.
>
> Also, I'm also not sure why (on the Federation page) I even see an
> item called "SAML 2.0 SP Metadata" with:
>
> Entity ID: https://idp.my.domain:34443/simplesaml/module.php/saml/sp/metadata.php/default-sp
> default-sp
> [ Show metadata ] (link looks OK, shows XML from the above URL)
This happens when you have the default-sp authentication source enabled
on the IdP.
At this point I am uncertain about exactly how your setup is
configured. I tried to read through this email thread, but I just
became more confused :)
Could you give a summary of what you have configured in:
- config/authsources.php (for both the IdP and SP)
- metadata/saml20-sp-remote.php (at the IdP)
- metadata/saml20-idp-hosted.php (at the IdP)
- metadata/saml20-idp-remote.php (at the SP)
Best regards,
Olav Morken
UNINETT / Feide
Peter Wolfenden
Apr 16, 2012, 10:06:13 PM4/16/12
to simpleSAMLphp
Hello Olav,
Thanks for your response.
First - the stack trace for the Exception which I see when I browse to
the "Federation" tab looks like this:
Exception: Could not find any default metadata entities in set [saml20-
sp-hosted] for host [sp.my.domain:2443 : sp.my.domain/simplesaml] in /
var/simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/
MetaDataStorageHandler.php on line 230 Call Stack: 0.0003 171408 1.
{main}() /var/simplesamlphp-1.8.2/www/module.php:0 0.0058 1541696 2.
require('/var/simplesamlphp-1.8.2/modules/core/www/
frontpage_federation.php') /var/simplesamlphp-1.8.2/www/module.php:135
0.0179 2787496 3. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaDataCurrent() /var/simplesamlphp-1.8.2/modules/core/www/
frontpage_federation.php:80 0.0179 2787696 4.
SimpleSAML_Metadata_MetaDataStorageHandler->getMetaData() /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:
177 0.0179 2788448 5. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaDataCurrentEntityID() /var/simplesamlphp-1.8.2/lib/SimpleSAML/
Metadata/MetaDataStorageHandler.php:268
Second, here is a summary of *all* the changes which I made to the
1.8.2 distribution tarball on my SP and IDP webservers, respectively
(I found that I could avoid patching the code on the SP side by adding
an extra record to saml20-idp-remote.php - see below):
ON THE SP SIDE: (sp.my.domain:2443)
===================================
diff --recursive tmp/simplesamlphp-1.8.2/config/authsources.php
simplesamlphp/config/authsources.php
24,25c24,26
< // Can be NULL/unset, in which case the user will be
shown a list of available IdPs.
< 'idp' => NULL,
---
> // Can be NULL/unset, in which case the user will be shown a list of available IdPs
> // (one for each item defined in metadata/*-idp-remote.php):.
> 'idp' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php',
Only in simplesamlphp/config: config-sanitycheck.php
diff --recursive tmp/simplesamlphp-1.8.2/metadata/saml20-idp-
remote.php simplesamlphp/metadata/saml20-idp-remote.php
91a92,112
> 'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SingleLogoutService.php',
> 'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SingleLogoutService.php',
======================================
diff --recursive tmp/simplesamlphp-1.8.2/config/authsources.php
simplesamlphp/config/authsources.php
25c25
< 'idp' => NULL,
---
> 'idp' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php',
52d51
< /*
64d62
< */
Only in simplesamlphp/config: config-sanitycheck.php
diff --recursive tmp/simplesamlphp-1.8.2/metadata/saml20-sp-remote.php
simplesamlphp/metadata/saml20-sp-remote.php
27a28,35
>
> /*
> * Peter's Test Example simpleSAMLphp SAML 2.0 SP
> */
> $metadata['https://sp.my.domain:2443/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
> 'AssertionConsumerService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
Please advise, thanks!
Peter Wolfenden
Thanks for your response.
First - the stack trace for the Exception which I see when I browse to
the "Federation" tab looks like this:
Exception: Could not find any default metadata entities in set [saml20-
var/simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/
MetaDataStorageHandler.php on line 230 Call Stack: 0.0003 171408 1.
{main}() /var/simplesamlphp-1.8.2/www/module.php:0 0.0058 1541696 2.
require('/var/simplesamlphp-1.8.2/modules/core/www/
frontpage_federation.php') /var/simplesamlphp-1.8.2/www/module.php:135
0.0179 2787496 3. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaDataCurrent() /var/simplesamlphp-1.8.2/modules/core/www/
frontpage_federation.php:80 0.0179 2787696 4.
SimpleSAML_Metadata_MetaDataStorageHandler->getMetaData() /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:
177 0.0179 2788448 5. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaDataCurrentEntityID() /var/simplesamlphp-1.8.2/lib/SimpleSAML/
Metadata/MetaDataStorageHandler.php:268
Second, here is a summary of *all* the changes which I made to the
1.8.2 distribution tarball on my SP and IDP webservers, respectively
(I found that I could avoid patching the code on the SP side by adding
an extra record to saml20-idp-remote.php - see below):
ON THE SP SIDE: (sp.my.domain:2443)
===================================
diff --recursive tmp/simplesamlphp-1.8.2/config/authsources.php
simplesamlphp/config/authsources.php
24,25c24,26
< // Can be NULL/unset, in which case the user will be
shown a list of available IdPs.
< 'idp' => NULL,
---
> // Can be NULL/unset, in which case the user will be shown a list of available IdPs
> // (one for each item defined in metadata/*-idp-remote.php):.
> 'idp' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php',
Only in simplesamlphp/config: config-sanitycheck.php
diff --recursive tmp/simplesamlphp-1.8.2/metadata/saml20-idp-
remote.php simplesamlphp/metadata/saml20-idp-remote.php
91a92,112
>
> $metadata['https://idp.my.domain:34443'] = array(
> 'name' => array(
> 'en' => 'My Test Server'
> ),
> 'description' => 'Login with test credentials.',
> 'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SSOService.php',
> $metadata['https://idp.my.domain:34443'] = array(
> 'name' => array(
> 'en' => 'My Test Server'
> ),
> 'description' => 'Login with test credentials.',
> 'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SingleLogoutService.php',
> 'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9'
> );
> $metadata['https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php'] = array(
> );
> 'name' => array(
> 'en' => 'My Test Server'
> ),
> 'description' => 'Login with test credentials.',
> 'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SSOService.php',
> 'en' => 'My Test Server'
> ),
> 'description' => 'Login with test credentials.',
> 'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SingleLogoutService.php',
> 'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9'
> );
>
ON THE IDP SIDE: (idp.my.domain:34443)
> );
>
======================================
diff --recursive tmp/simplesamlphp-1.8.2/config/authsources.php
simplesamlphp/config/authsources.php
25c25
< 'idp' => NULL,
---
> 'idp' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php',
52d51
< /*
64d62
< */
Only in simplesamlphp/config: config-sanitycheck.php
diff --recursive tmp/simplesamlphp-1.8.2/metadata/saml20-sp-remote.php
simplesamlphp/metadata/saml20-sp-remote.php
27a28,35
>
> /*
> * Peter's Test Example simpleSAMLphp SAML 2.0 SP
> */
> $metadata['https://sp.my.domain:2443/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
> 'AssertionConsumerService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
> 'SingleLogoutService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
> );
Only in simplesamlphp/modules/exampleauth: enable
> );
Please advise, thanks!
Peter Wolfenden
Peter Wolfenden
Apr 16, 2012, 11:27:34 PM4/16/12
to simpleSAMLphp
That stack trace wasn't very readable, was it?
Here it is again:
Exception: Could not find any default metadata entities in set [saml20-
sp-hosted] for host [sp.my.domain : sp.my.domain/simplesaml] in /var/
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
module.php:0
0.0075 1541696 2. require('/var/simplesamlphp-1.8.2/modules/
>getMetaDataCurrent() /var/simplesamlphp-1.8.2/modules/core/www/
frontpage_federation.php:80
0.0220 2787696 4. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaData() /var/simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/
MetaDataStorageHandler.php:177
0.0221 2788448 5. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaDataCurrentEntityID() /var/simplesamlphp-1.8.2/lib/SimpleSAML/
Metadata/MetaDataStorageHandler.php:268
Here it is again:
Exception: Could not find any default metadata entities in set [saml20-
simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
on line 230
Call Stack:
0.0005 171408 1. {main}() /var/simplesamlphp-1.8.2/www/
Call Stack:
module.php:0
0.0075 1541696 2. require('/var/simplesamlphp-1.8.2/modules/
core/www/frontpage_federation.php') /var/simplesamlphp-1.8.2/www/
module.php:135
0.0220 2787496 3. SimpleSAML_Metadata_MetaDataStorageHandler-
module.php:135
>getMetaDataCurrent() /var/simplesamlphp-1.8.2/modules/core/www/
frontpage_federation.php:80
0.0220 2787696 4. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaData() /var/simplesamlphp-1.8.2/lib/SimpleSAML/Metadata/
MetaDataStorageHandler.php:177
0.0221 2788448 5. SimpleSAML_Metadata_MetaDataStorageHandler-
>getMetaDataCurrentEntityID() /var/simplesamlphp-1.8.2/lib/SimpleSAML/
Metadata/MetaDataStorageHandler.php:268
Olav Morken
Apr 17, 2012, 2:28:25 AM4/17/12
to simple...@googlegroups.com
This error happens inside a try-catch block that discards this
exception. (The exception in this location is expected when you are not
using the old SP code, which is only available for backwards
compatibility.)
Do you by any chance have a debug extension installed that aborts the
script as soon as an exception is thrown?
Olav Morken
Apr 17, 2012, 2:32:08 AM4/17/12
to simple...@googlegroups.com
On Mon, Apr 16, 2012 at 19:06:13 -0700, Peter Wolfenden wrote:
> Hello Olav,
>
> Thanks for your response.
>
> First - the stack trace for the Exception which I see when I browse to
> the "Federation" tab looks like this:
[...]> Hello Olav,
>
> Thanks for your response.
>
> First - the stack trace for the Exception which I see when I browse to
> the "Federation" tab looks like this:
(Answered in other mail)
This entry does not appear to be in use, and should probably be removed.
(Alternatively, you can change the entityID of your IdP to be
'https://idp.my.domain:34443', and remove the other entry.)
> > $metadata['https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php'] = array(
> > 'name' => array(
> > 'en' => 'My Test Server'
> > ),
> > 'description' => 'Login with test credentials.',
> > 'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SSOService.php',
> > 'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SingleLogoutService.php',
> > 'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9'
> > );
> >
>
> ON THE IDP SIDE: (idp.my.domain:34443)
> ======================================
> diff --recursive tmp/simplesamlphp-1.8.2/config/authsources.php
> simplesamlphp/config/authsources.php
> 25c25
> < 'idp' => NULL,
> ---
> > 'idp' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php',
This change is not necessary on the IdP - the default-sp entry is only
used on the SP.
> 52d51
> < /*
> 64d62
> < */
> Only in simplesamlphp/config: config-sanitycheck.php
> diff --recursive tmp/simplesamlphp-1.8.2/metadata/saml20-sp-remote.php
> simplesamlphp/metadata/saml20-sp-remote.php
> 27a28,35
> >
> > /*
> > * Peter's Test Example simpleSAMLphp SAML 2.0 SP
> > */
> > $metadata['https://sp.my.domain:2443/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
> > 'AssertionConsumerService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
> > 'SingleLogoutService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
> > );
> Only in simplesamlphp/modules/exampleauth: enable
The rest looks correct.
Peter Wolfenden
Apr 18, 2012, 4:39:04 PM4/18/12
to simpleSAMLphp
Olav,
You nailed it - the xdebug extension is indeed turned on in the
version of PHP that I'm using, which causes Exceptions to be sent to
STDOUT *even if they are caught*. So, no bug here.
Thanks!
Peter
You nailed it - the xdebug extension is indeed turned on in the
version of PHP that I'm using, which causes Exceptions to be sent to
STDOUT *even if they are caught*. So, no bug here.
Thanks!
Peter
Peter Wolfenden
Apr 18, 2012, 4:52:06 PM4/18/12
to simpleSAMLphp
Confirmed on both counts - the extra entry on the SP side in saml20-
idp-remote.php can be removed with no ill effects, and the tweak to
the 'idp' key in config/authsources.php on the IdP side can likewise
be removed without breaking anything.
Thank you for your help!
Peter Wolfenden
> > > 'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SingleLogoutService....,
> > > 'AssertionConsumerService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-acs.php...,
> > > 'SingleLogoutService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-logout....,
idp-remote.php can be removed with no ill effects, and the tweak to
the 'idp' key in config/authsources.php on the IdP side can likewise
be removed without breaking anything.
Thank you for your help!
Peter Wolfenden
> > > 'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9'
> > > );
>
> This entry does not appear to be in use, and should probably be removed.
> (Alternatively, you can change the entityID of your IdP to be
> 'https://idp.my.domain:34443', and remove the other entry.)
>
>
>
>
>
>
>
>
>
> > > $metadata['https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php'] = array(
> > > 'name' => array(
> > > 'en' => 'My Test Server'
> > > ),
> > > 'description' => 'Login with test credentials.',
> > > 'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SSOService.php',
> > > 'SingleLogoutService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SingleLogoutService....,
> > > );
>
> This entry does not appear to be in use, and should probably be removed.
> (Alternatively, you can change the entityID of your IdP to be
> 'https://idp.my.domain:34443', and remove the other entry.)
>
>
>
>
>
>
>
>
>
> > > $metadata['https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php'] = array(
> > > 'name' => array(
> > > 'en' => 'My Test Server'
> > > ),
> > > 'description' => 'Login with test credentials.',
> > > 'SingleSignOnService' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/SSOService.php',
> > > 'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9'
> > > );
>
> > ON THE IDP SIDE: (idp.my.domain:34443)
> > ======================================
> > diff --recursive tmp/simplesamlphp-1.8.2/config/authsources.php
> > simplesamlphp/config/authsources.php
> > 25c25
> > < 'idp' => NULL,
> > ---
> > > 'idp' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php',
>
> This change is not necessary on the IdP - the default-sp entry is only
> used on the SP.
>
>
>
>
>
>
>
>
>
> > 52d51
> > < /*
> > 64d62
> > < */
> > Only in simplesamlphp/config: config-sanitycheck.php
> > diff --recursive tmp/simplesamlphp-1.8.2/metadata/saml20-sp-remote.php
> > simplesamlphp/metadata/saml20-sp-remote.php
> > 27a28,35
>
> > > /*
> > > * Peter's Test Example simpleSAMLphp SAML 2.0 SP
> > > */
> > > $metadata['https://sp.my.domain:2443/simplesaml/module.php/saml/sp/metadata.php/...] = array(
> > > );
>
> > ON THE IDP SIDE: (idp.my.domain:34443)
> > ======================================
> > diff --recursive tmp/simplesamlphp-1.8.2/config/authsources.php
> > simplesamlphp/config/authsources.php
> > 25c25
> > < 'idp' => NULL,
> > ---
> > > 'idp' => 'https://idp.my.domain:34443/simplesaml/saml2/idp/metadata.php',
>
> This change is not necessary on the IdP - the default-sp entry is only
> used on the SP.
>
>
>
>
>
>
>
>
>
> > 52d51
> > < /*
> > 64d62
> > < */
> > Only in simplesamlphp/config: config-sanitycheck.php
> > diff --recursive tmp/simplesamlphp-1.8.2/metadata/saml20-sp-remote.php
> > simplesamlphp/metadata/saml20-sp-remote.php
> > 27a28,35
>
> > > /*
> > > * Peter's Test Example simpleSAMLphp SAML 2.0 SP
> > > */
> > > 'AssertionConsumerService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-acs.php...,
> > > 'SingleLogoutService' => 'https://sp.my.domain:2443/simplesaml/module.php/saml/sp/saml2-logout....,
Dick Visser
Apr 24, 2013, 4:19:54 AM4/24/13
to simple...@googlegroups.com
On 23 April 2013 22:41, shankar Rathod <shankarr...@gmail.com> wrote:
> Sir, Can you please send me the complete documentation for installing
> simplesamlphp and configuring the all files to setup Service Provider and
> Identity Provider both in same System.
> Thankyou in advance sir.
http://simplesamlphp.org/docs/stable/
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
> Sir, Can you please send me the complete documentation for installing
> simplesamlphp and configuring the all files to setup Service Provider and
> Identity Provider both in same System.
> Thankyou in advance sir.
http://simplesamlphp.org/docs/stable/
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
Reply all
Reply to author
Forward
0 new messages