Using SimpleSAMLphp to authenticate against ADFS 2.0 Idp

[Kumari Anjali]

Hi,

I am configuring simpleSAMLphp with my application for single sign on using ADFS. When I am typing my application URL in browser it is redirecting to ADFS login page. After providing the credentials it is leading to simplepage page with set of errors and I am not able to trace the error log also. Can any one help me out in this. like 

1.) why this error occur ?

2.) Is this error in saml or from IDP side?

Please give me a solution for this error.

Thanks in advance.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 C:\simplesamlphp\www\module.php:180 (N/A)
Caused by: sspmod_saml_Error: Responder
Backtrace:
3 C:\simplesamlphp\modules\saml\lib\Message.php:392 (sspmod_saml_Message::getResponseError)
2 C:\simplesamlphp\modules\saml\lib\Message.php:499 (sspmod_saml_Message::processResponse)
1 C:\simplesamlphp\modules\saml\www\sp\saml2-acs.php:129 (require)
0 C:\simplesamlphp\www\module.php:137 (N/A)

[Peter Schober]

* Kumari Anjali <kumarian...@gmail.com> [2017-09-13 15:20]:

> After providing the credentials it is leading to simplepage page
> with set of errors and I am not able to trace the error log
> also.

Do you mean you don't find any errors in the log files, or that you
don't find the log files, or that they are not being created? Or
something else entirely?

> *1.) why this error occur ?*

Well, it says:

> Backtrace:
> 0 C:\simplesamlphp\www\module.php:180 (N/A)
> Caused by: sspmod_saml_Error: Responder

And the "Responder" here is the IDP (the SP sends a Request to the
IDP, and the IDP sends a Response; quite simple). So the IDP returned
an error, that's all we know here.
Maybe there's more in the logs or you can ask the IDP what error
(i.e., why) they returned an error.

> *2.) Is this error in saml or from IDP side?*

Not "or" but "both", AFAIU the question.

-peter

[Kumari Anjali]

Hi Peter,

Thanks for the reply,

In log file I can see two errors

1.) Session: 'transishun-sp' not valid because we are not authenticated.

2.) Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.

I have changed the 'session.cookie.domain' => '.example.org' in simplesamlphp config file also. (.example.org is replace by my application name.)

But still issue remain same.Can you help me out in solving this issue.

Thanks in advance. 

[Peter Schober]

* Kumari Anjali <kumarian...@gmail.com> [2017-09-14 09:23]:

> 1.) Session: 'transishun-sp' not valid because we are not authenticated.
> 2.) Could not load state specified by InResponseTo: NOSTATE Processing
> response as unsolicited.

https://simplesamlphp.org/docs/stable/simplesamlphp-nostate

> I have changed the 'session.cookie.domain' => '.example.org' in
> simplesamlphp config file also. (.example.org is replace by my
> application name.)

Well, ".example.org" cant be replaced with your application name but
with your DNS domain. But why did you make that change? No other host
with than DNS zone should be able to read (or write) your
SimpleSAMLphp session cookies, so what is the intent of that change?

-peter

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2017-09-14 09:42]:

I see that's actually suggested in the documentation above.
Personally I'd simply make sure to canonicalise any hostnames to one
form before starting any SAML flows. That's more sane and also more
secure as you don't need to expose your session cookies more than
necessary.
-peter

[Kumari Anjali]

Hi Peter,

I have reverted back the changes ( 'session.cookie.domain' => '.example.org'). As it was given in one of the solutions of this issue.

But still I am looking for the solution.

Here my error is, which I got from log file.

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] Backtrace:

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] 0 C:\simplesamlphp\www\module.php:180 (N/A)

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] Caused by: sspmod_saml_Error: Responder

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] Backtrace:

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] 3 C:\simplesamlphp\modules\saml\lib\Message.php:392 (sspmod_saml_Message::getResponseError)

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] 2 C:\simplesamlphp\modules\saml\lib\Message.php:499 (sspmod_saml_Message::processResponse)

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] 1 C:\simplesamlphp\modules\saml\www\sp\saml2-acs.php:129 (require)

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] 0 C:\simplesamlphp\www\module.php:137 (N/A)

Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] Error report with id aa6b728f generated.

Sep 14 15:12:36 simplesamlphp DEBUG [dcfab56b7c] Session: Valid session found with 'admin'.

Sep 14 15:12:36 simplesamlphp DEBUG [dcfab56b7c] Template: Reading [C:\simplesamlphp\dictionaries/errors]

Sep 14 15:12:36 simplesamlphp DEBUG [dcfab56b7c] Loading state: '_52aeb1a1a8f57e6d260f71d0720e94b8297493d0ed:https://stg.aieswiki.accenture.com/simplesaml/module.php/core/as_login.php?AuthId=transishun-sp&ReturnTo=https%3A%2F%2Fstg.aieswiki.accenture.com%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dtransishun-sp'

Please check it and let me know if any solution is available as I am new to SAML so unable to rectify this issue and this is a blocker for me right now.

Please let me know do I need to connect to IDP server as this was handled by another team to solve this issue or it will be rectify from my end.

Thanks in advance. 

On Wednesday, September 13, 2017 at 6:50:44 PM UTC+5:30, Kumari Anjali wrote:

[Peter Schober]

* Kumari Anjali <kumarian...@gmail.com> [2017-09-14 11:57]:

> Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] SimpleSAML_Error_Error:
> UNHANDLEDEXCEPTION
> Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] Backtrace:
> Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] 0
> C:\simplesamlphp\www\module.php:180 (N/A)
> Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] Caused by:
> sspmod_saml_Error: Responder

The responder is the IDP, so ask the IDP why and what the specific
error was. (I don't know how to get that from SSP.)

I told you that before, of course.

> Sep 14 15:12:36 simplesamlphp ERROR [dcfab56b7c] Error report with id
> aa6b728f generated.

You could look for lines with "aa6b728f" in the same log file, e.g.
$ fgrep aa6b728f your.log

-peter

[priva...@gmail.com]

Hello we have the exact same error and can't figure out what is going on.

Did you manage to solve it ?

How ?

Many thanks,

Laurent.

[Tim van Dijen]

Hello Laurent,

The Responder-error basically means that the ADFS IdP couldn't fullfil your authentication request.
There two ways to go on this:
1. Ask your IdP-administrator to check the Windows Event Logs on the ADFS machine;  you will find a clue there
2. Make a SAML-trace and see if you can find a mismatch on what you're sending and what ADFS is expecting.
    Known culprits:
    - A mismatch in signing algorithm
    - ADFS not trusting the certificate used to sign the authentication request
    - Specifying a RequestedAuthnContext in the authentication request with comparison=minimum or comparison=exact;  don't know about the latest version of ADFS, but earlier versions didn't always like that.
    - Specifying a Scoping-element in the authentication request;  again I don't know about the latest version of ADFS, but earlier versions didn't like it.

- Tim