newbie question with setup
eric.truett
google apps education for education domain (smithclubchicago.org). i
use custom urls for the various GAFYD services
(mail.smithclubchicago.org, etc.)
my signin page: http://www.smithclubchicago.org/simplesaml/saml2/idp/SSOService.php
i left unchecked the box "Use a domain specific issuer" in the GAFYD
admin panel.
---
I have a couple of questions about the setup of the IdP:
(1) If I use the following settings in config.php:
'enable.saml20-sp' => false,
'enable.saml20-idp' => true,
'enable.shib13-sp' => false,
'enable.shib13-idp' => false,
then do I need to modify the files saml20-sp-remote.php and saml20-sp-
hosted.php in the metadata directory or should I remove them?
(2) if my domain is smithclubchicago.org, what do I set as the values
below for $A and $B. i tried various combinations of the domain name
and www to no avail, the only way i avoided error messages was to use
'__DYNAMIC:1__' and '__DEFAULT__', respectively.
// The SAML entity ID is the index of this config.
$A => array(
// The hostname of the server (VHOST) that this SAML entity will
use.
$B => 'sp.example.org',
(3) when i enter the url "http://mail.smithclubchicago.org" i am
redirected to
http://www.smithclubchicago.org/simplesaml/auth/login.php?RelayState=http%3A%2F%2Fwww.smithclubchicago.org%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3FRequestID%3D_98a5917c0bd3a2b29f2a9f0dbe7690b09d6079c566&AuthId=_98a5917c0bd3a2b29f2a9f0dbe7690b09d6079c566&protocol=saml2
after i enter a valid username and password, i am redirected to
http://www.smithclubchicago.org/simplesaml/auth/login.php? and then
have a blank screen. i am not sure what to do at this point.
thank you for any suggestions or advice,
eric truett
Waylon Kenning
> From: simple...@googlegroups.com
> [mailto:simple...@googlegroups.com] On Behalf Of eric.truett
> Sent: Wednesday, 18 February 2009 5:37 a.m.
> To: simpleSAMLphp
> Subject: newbie question with setup
>
>
> I am just getting started working with this library for SSO
> on my google apps education for education domain
> (smithclubchicago.org). i use custom urls for the various
> GAFYD services (mail.smithclubchicago.org, etc.)
>
> my signin page:
> http://www.smithclubchicago.org/simplesaml/saml2/idp/SSOService.php
>
> i left unchecked the box "Use a domain specific issuer" in
> the GAFYD admin panel.
>
> ---
>
> I have a couple of questions about the setup of the IdP:
>
> (1) If I use the following settings in config.php:
>
> 'enable.saml20-sp' => false,
> 'enable.saml20-idp' => true,
> 'enable.shib13-sp' => false,
> 'enable.shib13-idp' => false,
>
> then do I need to modify the files saml20-sp-remote.php and
> saml20-sp- hosted.php in the metadata directory or should I
> remove them?
From the best of my knowledge (and other people can correct me):
You'll need two metadata files - saml20-idp-hosted.php and
saml20-sp-remote.php. I removed all the others. The saml20-sp-remote.php file
contains the information about SPs that can use your IDP. Mine has the
following entry in saml20-sp-remote.php:
'http://10.8.32.149/simplesaml/saml2/sp/metadata.php' => array (
'AssertionConsumerService' =>
'http://10.8.32.149/simplesaml/saml2/sp/AssertionConsumerService.php',
'SingleLogoutService' =>
'http://10.8.32.149/simplesaml/saml2/sp/SingleLogoutService.php',
),
> (2) if my domain is smithclubchicago.org, what do I set as
> the values below for $A and $B. i tried various combinations
> of the domain name and www to no avail, the only way i
> avoided error messages was to use '__DYNAMIC:1__' and
> '__DEFAULT__', respectively.
>
> // The SAML entity ID is the index of this config.
> $A => array(
>
> // The hostname of the server (VHOST) that this SAML
> entity will use.
> $B => 'sp.example.org',
Here's mine:
// The SAML entity ID is the index of this config.
'http://essaml1.moe.govt.nz/simplesamlphp_1_3/www/' => array(
// The hostname of the server (VHOST) that this SAML entity
will use.
'host' =>
'essaml1.moe.govt.nz',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
// Authentication plugin to use. login.php is the default one
that uses LDAP.
'auth' => 'auth/login-auto.php'
)
> (3) when i enter the url "http://mail.smithclubchicago.org" i
> am redirected to
>
> http://www.smithclubchicago.org/simplesaml/auth/login.php?Rela
yState=http%3A%2F%2Fwww.smithclubchicago.org%2Fsimplesaml%>
2Fsaml2%2Fidp%2FSSOService.php%3FRequestID%3D_98a5917c0bd3a2b2
9f2a9f0dbe7690b09d6079c566&AuthId=_>
98a5917c0bd3a2b29f2a9f0dbe7690b09d6079c566&protocol=saml2
>
> after i enter a valid username and password, i am redirected
> to http://www.smithclubchicago.org/simplesaml/auth/login.php?
> and then have a blank screen. i am not sure what to do at this point.
Can't help you with this one sorry.
> thank you for any suggestions or advice,
>
> eric truett
Regards,
Waylon Kenning
Assistant Business Systems Analyst
New Zealand Ministry of Education.
DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. The contents are not necessarily the official view or communication of the Ministry of Education. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to the Ministry by e-mail, and destroy any copies. The Ministry does not accept any liability for changes made to this e-mail or attachments after sending.
All e-mails have been scanned for viruses and content by security software. The Ministry reserves the right to monitor all e-mail communications through its network.
Peter Schober
> From the best of my knowledge (and other people can correct me):
>
> You'll need two metadata files
Yes, SAML and web single sign-on are not much fun without at least a
second site ;)
cheers,
-peter
eric.truett
files in the metadata directory, and it was not obvious that you
needed to pair saml20-idp-hosted.php with saml20-sp-remote.php,
instead of pairing saml20-idp-hosted.php with saml20-idp-remote.php.
i noticed a suggestion elsewhere to use live http headers in
debugging. i have included this information (while deleting username/
password which are correct) to see if anyone can provide insight into
why, after i am successfully redirected to enter a username and
password, that my post request is not producing any results.
##################################
Location:
https://www.google.com/a/smithclubchicago.org/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fa%2Fsmithclubchicago.org%2F&bsv=1k96igf4806cy&ss=1<mpl=default<mplcache=2
Location:
http://www.smithclubchicago.org/simplesaml/saml2/idp/SSOService.php?SAMLRequest=fVLLbtswELwX6D8QvOthtUBdwlLgJghqIG2FWMkhN5paSXRIrsql7PbvQ8sJkh6aCw%2FD4TyWu7r4Yw07gCeNruSLNOcMnMJWu77kd811suQX1ccPK5LWjGI9hcHdwu8JKLD40pGYL0o%2BeSdQkibhpAUSQYnt%2BseNKNJcjB4DKjScba5K7lqwtnN71O3wuFe7fd%2BhGY0dW%2FsYz7FTDvt213N2%2FxKrOMXaEE2wcRSkCxHK869JXiSLZVMU4vNSfPrywFn97PRNu3OD92LtziQS35umTupf22YWOOgW%2FM%2FILnmP2BtIFdqTfS2J9CHCnTQEnK2JwIcY8BIdTRb8FvxBK7i7vSn5EMJIIsuOx2P6KpPJjKwOgzLTTg1ayR5T9H0mFfFqnrGYa%2Fo3w32%2FhHwJwatXm1X2Rqp6%2FrtTpc1VjUarv2xtDB4vPcgQ%2BwQ%2FxTrX6K0M%2F3dbpIsZ0W3SzVQxORpB6U5Dy1lWnV3%2FXZK4Ok8%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fsmithclubchicago.org%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fsmithclubchicago.org%252F%26bsv%3D1k96igf4806cy%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
http://www.smithclubchicago.org/simplesaml/auth/login.php?RelayState=http%3A%2F%2Fwww.smithclubchicago.org%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3FRequestID%3D_919e19f034b12d879bec07299f9651cc45b6eaecd2&AuthId=_919e19f034b12d879bec07299f9651cc45b6eaecd2&protocol=saml2
http://www.smithclubchicago.org/simplesaml/auth/login.php?
POST /simplesaml/auth/login.php? HTTP/1.1
Host: www.smithclubchicago.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/
2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://www.smithclubchicago.org/simplesaml/auth/login.php?RelayState=http%3A%2F%2Fwww.smithclubchicago.org%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3FRequestID%3D_919e19f034b12d879bec07299f9651cc45b6eaecd2&AuthId=_919e19f034b12d879bec07299f9651cc45b6eaecd2&protocol=saml2
Cookie: PHPSESSID=91d686e8f93aef22ba4068c0bbd1fb41
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
username={deleted by poster}&RelayState=http%3A%2F
%2Fwww.smithclubchicago.org%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php
%3FRequestID%3D_919e19f034b12d879bec07299f9651cc45b6eaecd2&password=
{deleted by poster}
HTTP/1.x 500 Internal Server Error
Date: Wed, 18 Feb 2009 22:50:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html
#######################################################3
thank you,
eric truett
Jonah Bossewitch
I have been trying to configure SimpleSaml as the SSO provider for
google apps too, and encountered a weird bug where the initial login
was a blank screen, though if I returned to the google site again, I
was actually logged in. It seemed /very/ difficult to track down, and
I wasn't really sure where to start debugging (I had looked at all the
administrative diagnostic screends, and everything checked out).
In the end I finally gave up on SimpleSaml and got
http://search.cpan.org/~manni/Google-SAML-Response-0.07/lib/Google/SAML/Response.pm
working fairly quickly. If all you want to do is set up an SSO
provider for google, this did the trick.
Be wary of software with 'simple' in the title. I know auth can be an
extremely complex problem, but SimpleSaml is anything but. I am
interested in universal adapters like SimpleSaml and dream of the day
when they work smoothly, which is why I am responding and would like
to see this bug identified and squashed.
good luck!
/Jonah
On Feb 18, 6:03 pm, "eric.truett" <eric.tru...@gmail.com> wrote:
> i realized that two parties are involved. however, there were 4 saml20
> files in the metadata directory, and it was not obvious that you
> needed to pair saml20-idp-hosted.php with saml20-sp-remote.php,
> instead of pairing saml20-idp-hosted.php with saml20-idp-remote.php.
>
> i noticed a suggestion elsewhere to use live http headers in
> debugging. i have included this information (while deleting username/
> password which are correct) to see if anyone can provide insight into
> why, after i am successfully redirected to enter a username and
> password, that my post request is not producing any results.
>
> ##################################
>
>
> Location:http://www.smithclubchicago.org/simplesaml/saml2/idp/SSOService.php?S...
>
> http://www.smithclubchicago.org/simplesaml/auth/login.php?RelayState=...
> http://www.smithclubchicago.org/simplesaml/auth/login.php?
>
> POST /simplesaml/auth/login.php? HTTP/1.1
>
> Host:www.smithclubchicago.org
>
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
> *;q=0.8
>
> Accept-Language: en-us,en;q=0.5
>
> Accept-Encoding: gzip,deflate
>
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>
> Keep-Alive: 300
>
> Connection: keep-alive
>
Andreas Åkre Solberg
then do I need to modify the files saml20-sp-remote.php and saml20-sp-
hosted.php in the metadata directory or should I remove them?
(2) if my domain is smithclubchicago.org, what do I set as the values
below for $A and $B. i tried various combinations of the domain name
and www to no avail, the only way i avoided error messages was to use
'__DYNAMIC:1__' and '__DEFAULT__', respectively.
after i enter a valid username and password, i am redirected to
http://www.smithclubchicago.org/simplesaml/auth/login.php? and then
have a blank screen. i am not sure what to do at this point.
thank you for any suggestions or advice,
Andreas Åkre Solberg
On 19. feb.2009, at 00:03, eric.truett wrote:
> i realized that two parties are involved. however, there were 4 saml20
> files in the metadata directory, and it was not obvious that you
> needed to pair saml20-idp-hosted.php with saml20-sp-remote.php,
> instead of pairing saml20-idp-hosted.php with saml20-idp-remote.php.
Yup, I know all the metadata stuff is very confusing. But I am not
sure how we can make it simpler, any suggestions would be very
welcome!!!
Right now, the documentation of google apps IdP says:
"If you want to setup a SAML 2.0 IdP for Google Apps, you need to
configure two metadata files: saml20-idp-hosted.php andsaml20-sp-
remote.php."
https://rnd.feide.no/content/simplesamlphp-idp-google-apps-education
I've done some steps to make it simpler, with __DYANMIC__ and
__DEFAULT__, which will give good default values, and require less
metadata changes. I may not have documented this good enough yet. I'll
try to make time to do a major revision of the documentation any time
very soon.
Andreas
--
Andreas Åkre Solberg
=andreas
http://rnd.feide.no
Andreas Åkre Solberg
On 3. mars2009, at 00:12, Jonah Bossewitch wrote:
> I have been trying to configure SimpleSaml as the SSO provider for
> google apps too, and encountered a weird bug where the initial login
> was a blank screen, though if I returned to the google site again, I
> was actually logged in. It seemed /very/ difficult to track down, and
> I wasn't really sure where to start debugging (I had looked at all the
> administrative diagnostic screends, and everything checked out).
Did you get a blank page in your simplesamlphp installation or at
google apps :)
If you get the blank screen in simplesaml it will be alot easier to
debug :D
Do you still have the setup, and are able to do some debug steps? Do
you have the installation available from outside (for me to test)?
Have you checked the Apache error log for error messages?