Artifact Resolution issue
Don S
I have been trying for days to figure out how to use simpleSAMLphp to
handle a SSO being setup with a client. My client has a link which
sends the SAMLART value in the querystring which I then need to return
them a authentication request via SAML XML which passes the Artifact
and digital signature of my servers certificate. Then, they will
return a SAML XML with the authentication status and attributes I will
need to log the user into my system.
I am new to this concept (SAML) and have found no documentation which
suits my needs, so excuse me if this has already been addressed and
possibly provide a link to that topic.
What I assume I need to do is emulate this request with something
like:
https://myserver/saml2/idp/ArtifactResolutionService.php?SAMLART=AAAAAAAAAAAAAAA....
I have setup an IdP in saml20-idp-hosted.php as such:
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML
entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to the cert directory.
*/
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
'saml20.sendartifact' => TRUE,
/*
* Authentication source to use. Must be one that is
configured in
* 'config/authsources.php'.
*/
'auth' => 'EPGSSO',
);
I added the 'saml20.sendartifact' => TRUE, based on a patch shown
here: http://code.google.com/p/simplesamlphp/source/browse/trunk/www/saml2/idp/ArtifactResolutionService.php?r=2302
Additionally I have setup a SP in authsoures.php which looks like
this:
'EPGSSO' => array(
'saml:SP',
//'ProtocolBinding' => 'urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-Artifact',
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
//'redirect.sign' => TRUE,
//'redirect.validate' => TRUE,
'entityID' => 'https://myserver.com',
'idp' => 'IS THIS WHERE I POINT TO THE URL FOR MY
CLIENTS SAML HANDLER?'
//'discoURL' => NULL
),
I am confused with where i need to setup a SP, but this is currently
what I have done. I also tried the HTTP-Arifact binding here with no
luck.
Anyhow when I attempt to hit the link to the Artifact resolution page
I get this error:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 /var/simplesamlphp/www/_include.php:34
(SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to send artifact without a datastore
configured.
Backtrace:
0 /var/simplesamlphp/www/saml2/idp/ArtifactResolutionService.php:29 (N/
A)
I am completely stumped and have a deadline which is stressing me out.
Any and all help appreciated.
Don
Olav Morken
> Hi,
> I have been trying for days to figure out how to use simpleSAMLphp to
> handle a SSO being setup with a client. My client has a link which
> sends the SAMLART
I assume you mean "SAMLart"? The parameter names are case sensitive.
> value in the querystring which I then need to return
> them a authentication request via SAML XML which passes the Artifact
> and digital signature of my servers certificate. Then, they will
> return a SAML XML with the authentication status and attributes I will
> need to log the user into my system.
So, to clarify - you are configuring a SAML 2 SP?
> I am new to this concept (SAML) and have found no documentation which
> suits my needs, so excuse me if this has already been addressed and
> possibly provide a link to that topic.
>
> What I assume I need to do is emulate this request with something
> like:
> https://myserver/saml2/idp/ArtifactResolutionService.php?SAMLART=AAAAAAAAAAAAAAA....
>
> I have setup an IdP in saml20-idp-hosted.php as such:
[...]
For an SP, you should not need to configure an IdP.
> I added the 'saml20.sendartifact' => TRUE, based on a patch shown
> here: http://code.google.com/p/simplesamlphp/source/browse/trunk/www/saml2/idp/ArtifactResolutionService.php?r=2302
Only needed for an IdP.
> Additionally I have setup a SP in authsoures.php which looks like
> this:
>
> 'EPGSSO' => array(
> 'saml:SP',
> //'ProtocolBinding' => 'urn:oasis:names:tc:SAML:
> 2.0:bindings:HTTP-Artifact',
You should uncomment this line to make your SP requests that
authentication responses are sent with the HTTP-Artifact binding.
> 'privatekey' => 'server.pem',
> 'certificate' => 'server.crt',
> //'redirect.sign' => TRUE,
> //'redirect.validate' => TRUE,
> 'entityID' => 'https://myserver.com',
> 'idp' => 'IS THIS WHERE I POINT TO THE URL FOR MY
> CLIENTS SAML HANDLER?'
No, this is the entityID of the IdP you are talking with. You can find
it in the IdP's metadata.
> //'discoURL' => NULL
> ),
So, you are configuring a SAML 2 bridge, where you have an IdP that
talks to another IdP?
> I am confused with where i need to setup a SP, but this is currently
> what I have done. I also tried the HTTP-Arifact binding here with no
> luck.
>
> Anyhow when I attempt to hit the link to the Artifact resolution page
> I get this error:
[...]
If you are not configuring an IdP, you should not be using the
ArtifactResolutionService.
> I am completely stumped and have a deadline which is stressing me out.
> Any and all help appreciated.
What you need to do is to configure the IdP with the URL of your SPs
AssertionConsumerService. It should be something like:
https://sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/EPGSSO
(You can find it in your SPs metadata, available from the federation
tab.)
You can then go to the URL you have received, which presumably triggers
an IdP initiated SSO. The IdP will then authenticate the user, and then
redirect to your AssertionConsumerService, with a SAMLart-parameter.
The SP will then issue a query to the IdPs ArtifactResolutionService in
order to receive the response.
Note that if you haven't done so already, you need to add metadata for
your IdP in the saml20-idp-remote.php metadata file. If the IdP gives
you SAML 2.0 metadata, you can use the metadata converter on the
federation tab in order to convert it to PHP-format.
Regards,
Olav Morken
UNINETT / Feide
Don S
made out to be more complex than it really is. I wrote my own script
in about 30 lines of PHP and got everything accomplished.
Thanks for your time.
Don
