Create and return extra fields (attribute) SimpleSAMLPHP with CAS 4.1.x- LDAP authentication module

986 views
Skip to first unread message

rhemandaddy

unread,
Apr 23, 2017, 2:20:07 AM4/23/17
to SimpleSAMLphp
Hello everyone.
I hope you have a good weekend.

I just install and setup simplesamlphp with cas 4.1.x - ldap authentication module (https://simplesamlphp.org/docs/stable/cas:cas#section_2) and everything is working perfectly.
When I did a test through "test configured authentication sources" the user is authenticated and I get all the attributes that are attached to his session.

However I want to return extra fieds (custom attributes) and I dont know how to do. 

For example I can get the attributes uid, mail, givenName attached to my session. But my web application which uses SimpleSAMLPHP for autentication is not handle such attributes but it handles user_uid, user_mail and user_firstname corresponding respectively to uid, mail, and givenName.

How can I create extra fields  user_uid, user_mail and user_firstname containing respectively uid, mail, and givenName then send them to my web application which uses SimpleSAMLPHP for authentication.

I need your help.

Best regard

 

Jaime Perez Crespo

unread,
Apr 23, 2017, 7:16:45 AM4/23/17
to simple...@googlegroups.com
Hi,

On 23 Apr 2017, at 08:20 AM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Hello everyone.
> I hope you have a good weekend.
>
> I just install and setup simplesamlphp with cas 4.1.x - ldap authentication module (https://simplesamlphp.org/docs/stable/cas:cas#section_2) and everything is working perfectly.
> When I did a test through "test configured authentication sources" the user is authenticated and I get all the attributes that are attached to his session.
>
> However I want to return extra fieds (custom attributes) and I dont know how to do.

Those are called “attributes”. You can specify which attributes you send to a service provider in the metadata. The service provider itself should declare its needs for attributes on its own metadata. If it does, SimpleSAMLphp will parse that metadata and configure that for you transparently.

> For example I can get the attributes uid, mail, givenName attached to my session. But my web application which uses SimpleSAMLPHP for autentication is not handle such attributes but it handles user_uid, user_mail and user_firstname corresponding respectively to uid, mail, and givenName.

But those are exactly the same attributes, right? Just using different names.

> How can I create extra fields user_uid, user_mail and user_firstname containing respectively uid, mail, and givenName then send them to my web application which uses SimpleSAMLPHP for authentication.

You are already sending the user’s ID, email and first name to the SP. If your web application is using SimpleSAMLphp too, you can configure that SimpleSAMLphp to rename the attributes it receives to whatever the application expects. Every time you don’t know how to do something in SimpleSAMLphp, you can use the search field on the web page to look for whatever you want (top right of the page). In this case, for example, you could search for “rename attribute”, and then you would see this in the search results:

"core:AttributeMap. Filter to change attribute names.”
https://simplesamlphp.org/docs/stable/core:authproc_attributemap

You can also do that in the IdP, but it doesn’t make much sense that the IdP needs to know the exact names of the attributes every application is expecting. Therefore, what’s logical here is that you use well known names for attributes, and then let the application rename them to whatever it needs. In any case, if you don’t have control over the SP (the application and its integration with SimpleSAMLphp), you can use the same authproc filter to change the names of the attributes you send to this particular SP.

Now that you know how to rename attributes in SimpleSAMLphp, you should ask yourself: why don’t just rename the attributes in the PHP script that’s calling SimpleSAMLphp?

$attributes = $auth->getAttributes();
$user_uid = $attributes[‘uid’];
$user_mail = $attributes[‘mail’];
$user_firstname = $attributes[‘givenName’];

Remember you are programming here, you can do whatever you want. Oh, and remember two things too:

- The attributes returned by “getAttributes()” are always arrays of values. Even if an attribute has only one value, it will be an array with the value inside.
- An attribute might sometimes be missing, so implement your software so that it reacts adequately in such case.

Have a nice weekend,

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

rhemandaddy

unread,
Apr 23, 2017, 10:22:59 AM4/23/17
to SimpleSAMLphp
Thanks a lot.

I did the following in my authsources.php. 

'esfam-cas' => array(
               'cas:CAS',
               'cas' => array(
                       'login' => 'https://esfam-cas.auf.org:8443/login',
                       'validate' => 'https://esfam-cas.auf.org:8443/validate',
                       'logout' => 'https://esfam-cas.auf.org:8443/logout',
               ),
               'ldap' => array(
                       'servers' => 'ldap://esfam-cas.auf.org:389/',
                       'enable_tls' => false,
                       'searchbase' => 'ou=people,dc=esfamldap,dc=auf,dc=org',
                       'searchattributes' => 'uid',
                       'attributes' => NULL, //array('uid','cn','givenName','sn', 'mail'),
                       'priv_user_dn' => 'cn=admin,dc=esfamldap,dc=auf,dc=org',
                       'priv_user_pw' => 'pessek12',
               'authproc' => array(
                         50 => array(
                              'class' => 'core:AttributeMap',
                              'uid' => '
user_uid',  
                              'mail' => '
user_mail',
                              'givenName' => '
user_firstname',
                      ), 
                   ),

But it seems like my attributes are not mapped. because I cannot get them from my web application which uses SimpleSAMLPHP for authentication. Please could someone told me what I did wrong ?

Jaime Perez Crespo

unread,
Apr 24, 2017, 3:52:38 AM4/24/17
to simple...@googlegroups.com
Hi,
From the documentation:

—8<—
1 How to configure Auth Proc Filters
Auth Proc Filters can be set globally, or to be specific for only one SP or one IdP. That means there are five locations where you can configure Auth Proc Filters:

• Globally in config.php
• On the SP: Specific for only the SP in authsources.php
—>8—

Since that auth source is CAS, not a SAML SP, that must be the IdP, and therefore, it won’t work as per the documentation: “On the SP”.

If you keep reading the documentation, you will see where in the IdP can you configure authproc filters, apart from doing it in “config.php":

—8<—
• On the IdP: Specific for only one hosted IdP in saml20-idp-hosted or shib13-idp-hosted
• On the IdP: Specific for only one remote SP in saml20-sp-remote or shib13-sp-remote
—>8—

rhemandaddy

unread,
Apr 27, 2017, 3:18:42 AM4/27/17
to SimpleSAMLphp
Hi.

I try to perform attributMap in my config.php as mentioned in the documentation. But until now renamed attributes are not sent to my web app which uses SimpleSAMLPHP for autentication.

I used the core:AttributeMap filter in my config.php (in the authproc.idp session) as you can see in the following listing.

'authproc.idp' => array(
       
  10 => array(
       'class' => 'core:AttributeMap',
       'uid' => 'elgg:username',
       'uidNumber' => 'elgg:external_id',
       'sn' => 'elgg:lastname',
       'mail' => 'elgg:email',
       'givenName' => 'elgg:firstname',
   ),

30 => 'core:LanguageAdaptor',

45 => array(
           'class'         => 'core:StatisticsWithAttribute',
           'attributename' => 'realm',
           'type'          => 'saml20-idp-SSO',
       ),

50 => 'core:AttributeLimit',
        99 => 'core:LanguageAdaptor',
),

 when I try to authenticate using my web app, I am normally redirected to my cas-server. But after cas authentication I am still redirect to cas-login panel.
On my apache log I have the following entries.

[Wed Apr 26 22:30:42.651544 2017] [:error] [pid 4635] [client 127.0.0.1:36896] simplesamlphp DEBUG [980a772754] Session: 'auf-cas' not valid because we are not authenticated.
[Wed Apr 26 22:30:42.652833 2017] [:error] [pid 4635] [client 127.0.0.1:36896] simplesamlphp DEBUG [980a772754] Saved state: '_7ca31f9ce0f629e13649da81447af86e40de2b7c40:https://esfam-elgg.auf.org/simplesaml/module.php/core/as_login.php?AuthId=auf-cas&ReturnTo=https-elgg.auf.org-cas'

Could someone help me . I dont konw what's wrong

Jaime Perez Crespo

unread,
Apr 27, 2017, 3:29:26 AM4/27/17
to simple...@googlegroups.com
Hi,

On 27 Apr 2017, at 09:18 AM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Hi.
>
> I try to perform attributMap in my config.php as mentioned in the documentation. But until now renamed attributes are not sent to my web app which uses SimpleSAMLPHP for autentication.
>
> I used the core:AttributeMap filter in my config.php (in the authproc.idp session) as you can see in the following listing.
>
> 'authproc.idp' => array(

Is this the IdP or the SP? Because if it’s the SP, that won’t work.

> when I try to authenticate using my web app, I am normally redirected to my cas-server. But after cas authentication I am still redirect to cas-login panel.
> On my apache log I have the following entries.
>
> [Wed Apr 26 22:30:42.651544 2017] [:error] [pid 4635] [client 127.0.0.1:36896] simplesamlphp DEBUG [980a772754] Session: 'auf-cas' not valid because we are not authenticated.
> [Wed Apr 26 22:30:42.652833 2017] [:error] [pid 4635] [client 127.0.0.1:36896] simplesamlphp DEBUG [980a772754] Saved state: '_7ca31f9ce0f629e13649da81447af86e40de2b7c40:https://esfam-elgg.auf.org/simplesaml/module.php/core/as_login.php?AuthId=auf-cas&ReturnTo=https-elgg.auf.org-cas'
> [Wed Apr 26 22:30:53.385086 2017] [:error] [pid 4665] [client 127.0.0.1:36914] simplesamlphp DEBUG [737f6e10aa] Session: 'auf-cas' not valid because we are not authenticated., referer: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_7ca31f9ce0f629e13649da81447af86e40de2b7c40%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
> [Wed Apr 26 22:30:53.385700 2017] [:error] [pid 4665] [client 127.0.0.1:36914] simplesamlphp DEBUG [737f6e10aa] Saved state: '_1f23b08889029d42d09899101f42ffb240c717c3a8:https://esfam-elgg.auf.org/simplesaml/module.php/core/as_login.php?AuthId=auf-cas&ReturnTo=https-elgg.auf.org-cas', referer: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_7ca31f9ce0f629e13649da81447af86e40de2b7c40%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
>
> Could someone help me . I dont konw what's wrong

That has nothing to do with the attributes’ names. If after successful authentication, SimpleSAMLphp keeps asking you to authenticate, that might indicate a problem with your session cookies. Verify your configuration regarding the session backend in use and its options (session name, path, expiration, etc).

rhemandaddy

unread,
Apr 27, 2017, 5:25:42 AM4/27/17
to SimpleSAMLphp
Hi;

That has nothing to do with the attributes’ names. If after successful authentication, SimpleSAMLphp keeps asking you to authenticate, that might indicate a problem with your session cookies. Verify your configuration regarding the session backend in use and its options (session name, path, expiration, etc). 

Thank you for you reply. I really appreciate it.
I have SSP's config.php set up with the following:

'store.type'  => 'sql',
'store.sql.dsn' => 'mysql:host=localhost;dbname=simplesaml',
'store.sql.username' => 'username',
'store.sql.password' => 'MyPassword',
'store.sql.prefix' => 'SimpleSAMLphp',

'session.duration' => 8 * (60 * 60), // 8 hours.
'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
'session.state.timeout' => (60 * 60), // 1 hour
'session.cookie.name' => 'SimpleSAMLSessionIDAUF',
'session.cookie.lifetime' => 0,
'session.cookie.path' => '/tmp/',
'session.cookie.domain' => null,
'session.cookie.secure' => false,
'enable.http_post' => false,
'session.phpsession.cookiename' => 'simplesamlphpauf',
'session.phpsession.savepath' => '/tmp/',
'session.phpsession.httponly' => true,
'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
'session.rememberme.enable' => false,
'session.rememberme.checked' => false,
'session.rememberme.lifetime' => (14 * 86400),

But when I try to authenticate using my web app, I am normally redirected to my cas-server. But after cas authentication I am still redirect to cas-login panel. 

And when I ckeck the database I have several entries relate to my session store in the database ;

i dont now what's wrong.



Le dimanche 23 avril 2017 09:20:07 UTC+3, rhemandaddy a écrit :

Jaime Perez Crespo

unread,
Apr 27, 2017, 5:38:36 AM4/27/17
to SimpleSAMLphp
Hi,

On 27 Apr 2017, at 11:25 AM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Hi;
>
> That has nothing to do with the attributes’ names. If after successful authentication, SimpleSAMLphp keeps asking you to authenticate, that might indicate a problem with your session cookies. Verify your configuration regarding the session backend in use and its options (session name, path, expiration, etc).
>
> Thank you for you reply. I really appreciate it.
> I have SSP's config.php set up with the following:
>
> 'store.type' => 'sql',
> 'store.sql.dsn' => 'mysql:host=localhost;dbname=simplesaml',
> 'store.sql.username' => 'username',
> 'store.sql.password' => 'MyPassword',
> 'store.sql.prefix' => 'SimpleSAMLphp',
>
> 'session.duration' => 8 * (60 * 60), // 8 hours.
> 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
> 'session.state.timeout' => (60 * 60), // 1 hour
> 'session.cookie.name' => 'SimpleSAMLSessionIDAUF',
> 'session.cookie.lifetime' => 0,
> 'session.cookie.path' => '/tmp/‘,

This is the path *in the URL*, not in the filesystem.

> 'session.cookie.domain' => null,

You should set the domain of your IdP explicitly.

> 'session.cookie.secure' => false,

And also set it secure and make your IdP available *only* via HTTPS.

esfa...@gmail.com

unread,
Apr 27, 2017, 8:39:56 AM4/27/17
to SimpleSAMLphp
Hi.

Thank you for you reply. But I really dont know what's wrong.

All my domains are sub domain on the top domain auf.org. and I use only https.

My domains
  1. https://esfam-sam.auf.org/simplesaml (my simplesamlphp)
  2. https://esfam-cas.auf.org:8443 (my cas-server)
  3. Https://esfam-app.auf.org  (my web application which uses SimpleSAMLPHP for authentication)

Hence I have the following entries in config.php

'session.cookie.domain' => '.auf.org', 
'session.cookie.secure' => true, 

But when I try to authenticate using my web app, I am normally redirected to my cas-server. But after cas authentication I am still redirect to cas-login panel. 

And when I ckeck the database I have several entries relate to my session store in the database ;

i dont now what's wrong.

rhemandaddy

unread,
Apr 27, 2017, 8:52:27 AM4/27/17
to SimpleSAMLphp
Hi.

Thank you for you reply. But I really dont know what's wrong.

All my domains are sub domain on the top domain auf.org. and I use only https.

My domains
  1. https://esfam-sam.auf.org/simplesaml (my simplesamlphp)
  2. https://esfam-cas.auf.org:8443 (my cas-server)
  3. Https://esfam-app.auf.org  (my web application which uses SimpleSAMLPHP for authentication)

Hence I have the following entries in config.php

'session.cookie.domain' => '.auf.org', 
'session.cookie.secure' => true, 

But when I try to authenticate using my web app, I am normally redirected to my cas-server. But after cas authentication I am still redirect to cas-login panel. 

And when I ckeck the database I have several entries relate to my session store in the database ;

i dont now what's wrong.


Le jeudi 27 avril 2017 12:38:36 UTC+3, Jaime Pérez a écrit :

Jaime Perez Crespo

unread,
May 1, 2017, 8:41:48 AM5/1/17
to SimpleSAMLphp
Hi,

I already told you what’s wrong: ‘session.cookie.path’ is the path of the URL where you can reach your SimpleSAMLphp installation, not the path in the file system of the server where it is installed. Since the SimpleSAMLphp session cookie must be accessible regardless of whether you call SSP from your app or directly through its web interface, it’s probably a good idea to set it to “/“.
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.

rhemandaddy

unread,
May 2, 2017, 3:34:07 AM5/2/17
to SimpleSAMLphp
Hi.

Thank you for you reply. I did everything you asked but I still have the same problem.
I have SSP's config.php set up with the following:

'store.type'  => 'sql',
'store.sql.dsn' => 'mysql:host=localhost;dbname=simplesaml',
'store.sql.username' => 'username', 
'store.sql.password' => 'MyPassword',
'store.sql.prefix' => 'SimpleSAMLphp',
'session.duration' => 8 * (60 * 60), // 8 hours.
'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
'session.state.timeout' => (60 * 60), // 1 hour
'session.cookie.name' => 'SimpleSAMLSessionID',
'session.cookie.lifetime' => 0,
'session.cookie.path' => '/',
'session.cookie.domain' => '.auf.org',
'session.cookie.secure' => true,
'enable.http_post' => false,
'session.phpsession.cookiename' => 'SimpleSAML',
'session.phpsession.savepath' => null,
'session.phpsession.httponly' => true,
'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
'session.rememberme.enable' => false, 
'session.rememberme.checked' => false, 
'session.rememberme.lifetime' => (14 * 86400),
All my domains are sub domain on the top domain auf.org. and I use only https.

My domains
  1. https://esfam-sam.auf.org/simplesaml (my simplesamlphp)
  2. https://esfam-cas.auf.org:8443 (my cas-server)
  3. Https://esfam-app.auf.org  (my web application which uses SimpleSAMLPHP for authentication)

But when I try to authenticate using my web app, I am normally redirected to my cas-server. But after cas authentication I am still redirect to cas-login panel. And when I ckeck the database I have several entries relate to my session store in the database. And when I check my apache log I still have the foffowing entries.

For testing purposes I used the following values for 'session.cookie.path' => '/',:  https://esfam-sam.auf.org/simplesaml/ and /simplesaml/ but the error remains the same.

[:error] [pid 4253] [client 127.0.0.1:52584] simplesamlphp DEBUG [eb7ea71652] Session: 'auf-cas' not valid because we are not authenticated.
[:error] [pid 4253] [client 127.0.0.1:52584] simplesamlphp DEBUG [eb7ea71652] Saved state: '_07c3373fa96016eb6342b8a6586b71eae9e29220fe:https://esfam-elgg.auf.org/simplesaml/module.php/core/as_login.php?AuthId=auf-cas&ReturnTo=https-elgg.auf.org-cas'

Jaime Perez Crespo

unread,
May 2, 2017, 5:20:35 AM5/2/17
to simple...@googlegroups.com
Hi again,

On 2 May 2017, at 09:34 AM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Hi.
>
> Thank you for you reply. I did everything you asked but I still have the same problem.
> I have SSP's config.php set up with the following:
>
> 'store.type' => 'sql',
> 'store.sql.dsn' => 'mysql:host=localhost;dbname=simplesaml',
> 'store.sql.username' => 'username',
> 'store.sql.password' => 'MyPassword',
> 'store.sql.prefix' => 'SimpleSAMLphp',
> 'session.duration' => 8 * (60 * 60), // 8 hours.
> 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
> 'session.state.timeout' => (60 * 60), // 1 hour
> 'session.cookie.name' => 'SimpleSAMLSessionID',
> 'session.cookie.lifetime' => 0,
> 'session.cookie.path' => '/',
> 'session.cookie.domain' => '.auf.org',
> 'session.cookie.secure' => true,
> 'enable.http_post' => false,
> 'session.phpsession.cookiename' => 'SimpleSAML',
> 'session.phpsession.savepath' => null,
> 'session.phpsession.httponly' => true,

The “session.phpsession.*” configuration options are irrelevant if you are not using the PHP session handler.

> 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
> 'session.rememberme.enable' => false,
> 'session.rememberme.checked' => false,
> 'session.rememberme.lifetime' => (14 * 86400),
>
> All my domains are sub domain on the top domain auf.org. and I use only https.

You don’t need to have all your hosts in subdomains of the same top domain. In fact, that could create trouble if you make your cookies available to the top domain and in two different hosts you are setting the same cookie. I suggest you to try setting the cookie domain to the fully qualified domain corresponding to the host where you have SimpleSAMLphp (i.e. esfam-sam.auf.org and esfam-app.auf.org).

> My domains
> • https://esfam-sam.auf.org/simplesaml (my simplesamlphp)
> • https://esfam-cas.auf.org:8443 (my cas-server)
> • Https://esfam-app.auf.org (my web application which uses SimpleSAMLPHP for authentication)
>
> But when I try to authenticate using my web app, I am normally redirected to my cas-server. But after cas authentication I am still redirect to cas-login panel. And when I ckeck the database I have several entries relate to my session store in the database. And when I check my apache log I still have the foffowing entries.

I also suggest you to capture the entire exchange with the SAML tracer plugin in firefox so that you can see if there’s a SAML exchange, as well as all the HTTP requests and responses.

What happens if you test CAS authentication in your IdP via the web interface?

rhemandaddy

unread,
May 2, 2017, 6:45:47 AM5/2/17
to SimpleSAMLphp
I removed the following statement from my config.php file because I am not using phpsession bu SQL

> 'session.phpsession.cookiename' => 'SimpleSAML', 
> 'session.phpsession.savepath' => null, 
> 'session.phpsession.httponly' => true, 

I set the cookie domain to the fully qualified domain corresponding to my host where I have SimpleSAMLphp (esfam-app.auf.org then esfam-sam.auf.org )
I cannot set the cookies domain to both  esfam-app.auf.org and esfam-sam.auf.org because 'session.cookie.domain' does not support array().

When I test CAS authentication in my IdP via the web interface every is working perfectly.

rhemandaddy

unread,
May 2, 2017, 7:08:52 AM5/2/17
to SimpleSAMLphp
Content of exchange with the SAML tracer plugin my firefox.

GET https://esfam-elgg.auf.org/ HTTP/1.1
Host: esfam-elgg.auf.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; Elgg=eqkssj02av17d2gr9s9chm81c3

HTTP/?.? 302 Found
Date: Tue, 02 May 2017 10:57:08 GMT
Server: Apache/2.4.18 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, post-check=0, pre-check=0, private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Location: https://esfam-elgg.auf.org/saml/login/auf-cas
Vary: User-Agent
Content-Length: 424
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

GET https://esfam-elgg.auf.org/saml/login/auf-cas HTTP/1.1
Host: esfam-elgg.auf.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; Elgg=eqkssj02av17d2gr9s9chm81c3

HTTP/?.? 302 Found
Date: Tue, 02 May 2017 10:57:09 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: SimpleSAMLSessionID=b8f29d9863bc7b9f80d5c5fffc12e9a0; path=/simplesaml/; domain=esfam-elgg.auf.org; secure; httponly
Location: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
Vary: User-Agent
Content-Length: 1331
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

GET https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas HTTP/1.1
Host: esfam-cas.auf.org:8443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; JSESSIONID=17ADE730CB87462ECC668ABAFCBDAB19

HTTP/?.? 200 
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 02 May 2017 10:57:09 GMT

POST https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas HTTP/1.1
Host: esfam-cas.auf.org:8443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 5032
Referer: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; JSESSIONID=17ADE730CB87462ECC668ABAFCBDAB19

HTTP/?.? 302 
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Set-Cookie: CASPRIVACY=;path=/cas;Secure;HttpOnly
TGC=eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxsTnlRbE5xVlVWRVEyZExTazh6UlV0WVdXb3lla0V1UWtaRFMwazFjSEpQTTJ0Q1dFWTJURFp6U0c5R1pUUm5ibkZKWW1KTUxWTjRObmg1T0Vob05GbERNV2cwU3pKeE9YSlNUbWsyVkU5RU4ySnNlbTAwVDBNM1NFVjZTVjlEYlRkT2FuTlpRVmQ1UlRCTVNIWTFja1JwWTFKc1VtTXpjMnA0ZFZaUmJFeEhOWEZMZVd4MFNuWnVRelU0TVhkZlZFWjJWMmxHVERKTWRHVmxUM0ZvV0RGQlIyRm9WVXhJVDNrdFIyczFUbEpSUmkxNmJXZEdVMDlRVmxsWWRETkpNVWRqYVdaWk5YVTVlblF3TVhVNFdEVnZZMU5MUzIxM1JrMVhXVVZSZHpOS2ExWkhkems0V2pWc1VYbHpUMU5PYldveGF6ZEViSFJhVjJ4VmRYb3RZa1pxTkM1R05VMWZOVTVLWmpCUVpVRnJRbXB6UjA5TFEzRjM.nWiuP0pwF6IYhvsbBsqiiw-2t7HsQQuP9TpAmetxOl5L7yywpRYDA1ChxkS2uEEHwN4NDdi_5aN-0l2NgdTeGg;path=/cas;Secure;HttpOnly
Location: https://esfam-elgg.auf.org/simplesaml/module.php/cas/linkback.php?stateID=_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%3Ahttps%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Dauf-cas%26ReturnTo%3Dhttps%253A%252F%252Fesfam-elgg.auf.org%252Fsaml%252Flogin%252Fauf-cas&ticket=ST-12-Dr0qRTUncgLkdoGvqcDd-esfam-cas.auf.org
Content-Length: 0
Date: Tue, 02 May 2017 10:57:18 GMT

GET https://esfam-elgg.auf.org/simplesaml/module.php/cas/linkback.php?stateID=_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%3Ahttps%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Dauf-cas%26ReturnTo%3Dhttps%253A%252F%252Fesfam-elgg.auf.org%252Fsaml%252Flogin%252Fauf-cas&ticket=ST-12-Dr0qRTUncgLkdoGvqcDd-esfam-cas.auf.org HTTP/1.1
Host: esfam-elgg.auf.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
Cookie: SimpleSAMLSessionID=b8f29d9863bc7b9f80d5c5fffc12e9a0; _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; Elgg=eqkssj02av17d2gr9s9chm81c3

HTTP/?.? 302 Found
Date: Tue, 02 May 2017 10:57:18 GMT
Server: Apache/2.4.18 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, post-check=0, pre-check=0, private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Location: https://esfam-elgg.auf.org/saml/login/auf-cas
Vary: User-Agent
Content-Length: 424
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

GET https://esfam-elgg.auf.org/saml/login/auf-cas HTTP/1.1
Host: esfam-elgg.auf.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; Elgg=eqkssj02av17d2gr9s9chm81c3

HTTP/?.? 302 Found
Date: Tue, 02 May 2017 10:57:18 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: SimpleSAMLSessionID=85ca80b330c91d969fe8cad38ce01611; path=/simplesaml/; domain=esfam-elgg.auf.org; secure; httponly
Location: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_9af61f70d8a54ed3a087bd757b0dd3832177a41d6b%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
Vary: User-Agent
Content-Length: 1331
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

GET https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_9af61f70d8a54ed3a087bd757b0dd3832177a41d6b%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas HTTP/1.1
Host: esfam-cas.auf.org:8443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; JSESSIONID=17ADE730CB87462ECC668ABAFCBDAB19

HTTP/?.? 200 
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Tue, 02 May 2017 10:57:18 GMT

After authentication I am still redirected to the cas-login form for authentication. I attached the exported saml trace.

Thanks a lot for your help
exported_saml_trace.txt

Jaime Perez Crespo

unread,
May 2, 2017, 9:58:28 AM5/2/17
to simple...@googlegroups.com
Hi,

On 2 May 2017, at 13:08 PM, 'rhemandaddy' via SimpleSAMLphp <simple...@googlegroups.com> wrote:
> Content of exchange with the SAML tracer plugin my firefox.
>
> GET https://esfam-elgg.auf.org/saml/login/auf-cas HTTP/1.1
> Host: esfam-elgg.auf.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; Elgg=eqkssj02av17d2gr9s9chm81c3
>
> HTTP/?.? 302 Found
> Date: Tue, 02 May 2017 10:57:09 GMT
> Server: Apache/2.4.18 (Ubuntu)
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-cache, must-revalidate
> Pragma: no-cache
> Set-Cookie: SimpleSAMLSessionID=b8f29d9863bc7b9f80d5c5fffc12e9a0; path=/simplesaml/; domain=esfam-elgg.auf.org; secure; httponly

^^^^^^^^^^^^^
^^^^^^^^^^^^^

> […]
>
> GET https://esfam-elgg.auf.org/saml/login/auf-cas HTTP/1.1
> Host: esfam-elgg.auf.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Referer: https://esfam-cas.auf.org:8443/login?service=https%3A%2F%2Fesfam-elgg.auf.org%2Fsimplesaml%2Fmodule.php%2Fcas%2Flinkback.php%3FstateID%3D_50fc1382f7ec55f60891e2fb7cc0ea279c64d9a025%253Ahttps%253A%252F%252Fesfam-elgg.auf.org%252Fsimplesaml%252Fmodule.php%252Fcore%252Fas_login.php%253FAuthId%253Dauf-cas%2526ReturnTo%253Dhttps%25253A%25252F%25252Fesfam-elgg.auf.org%25252Fsaml%25252Flogin%25252Fauf-cas
> Cookie: _ga=GA1.2.2091310308.1493191654; __unam=7bc8578-15ba9288d52-220067a2-4; Elgg=eqkssj02av17d2gr9s9chm81c3
>
> HTTP/?.? 302 Found
> Date: Tue, 02 May 2017 10:57:18 GMT
> Server: Apache/2.4.18 (Ubuntu)
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-cache, must-revalidate
> Pragma: no-cache
> Set-Cookie: SimpleSAMLSessionID=85ca80b330c91d969fe8cad38ce01611; path=/simplesaml/; domain=esfam-elgg.auf.org; secure; httponly

^^^^^^^^^^^^^
> […]
>
> After authentication I am still redirected to the cas-login form for authentication. I attached the exported saml trace.

First of all, there’s no SAML trace here. That’s a regular HTTP trace with no SAML messages at all. You are *NOT* using SAML here. You are just using the IdP directly as if it was an SP. If you want to use SAML, you need to set up an IdP (where you will configure the CAS module) and an SP (where you will configure a SAML SP authentication source). Please, read the documentation.

> I set the cookie domain to the fully qualified domain corresponding to my host where I have SimpleSAMLphp (esfam-app.auf.org then esfam-sam.auf.org )
> I cannot set the cookies domain to both esfam-app.auf.org and esfam-sam.auf.org because 'session.cookie.domain' does not support array().

It doesn’t support an array because you cannot set a cookie for more than one domain. Which is because a server cannot set a cookie for a domain other than its own domain.

SimpleSAMLphp’s configuration is written in PHP. This means if you are sharing one SimpleSAMLphp installation for both the IdP and the SP (which I would recommend you to avoid unless you know what you are doing, which you clearly don’t), you need to figure out the current domain and set the configuration *dynamically* to that current domain.

In any case, a quick glance at the trace you pasted confirms my previous assessment. It’s quite obvious what’s wrong from the trace, and the only explanation for your current configuration and previous attempts trying different configurations at random is that you don’t know how cookies and sessions work. I could easily tell you what’s wrong and specify what you need to set in your configuration for things to be up and running. However, that wouldn’t solve your real issue, that being your lack of understanding of what you are doing, and as soon as you need to do something else, your setup would be broken again.

Therefore, I won’t tell you how to fix your issue, you’ll need to figure out yourself by learning how cookies and sessions work. Go to google, search for cookies, and read until you understand how are cookies set by servers and sent back by browsers, as well as how you keep a session in a stateless protocol like HTTP. Once you have done that and you understood how cookies work, come back to this message, and look at the marks I placed in certain parts of your trace. They are marking where cookies are either set by a response from the server, or sent (or *NOT* sent) by the browser in a request. As soon as you understand cookies, you’ll see what’s wrong in that trace, and you’ll know how to fix the issue.

rheman puewe

unread,
May 3, 2017, 2:49:28 AM5/3/17
to simple...@googlegroups.com
Hi Jaime Perez Crespo

Sorry for disturbing you about my issues.

I know how the sessions work in php but I am not an expert on cookies and since two days I am reading a lot of document about cookies.

- I am using  store.type => sql because this will prevent session conflicts between my web app and SimpleSAMLPHP

- I was not doing a randon configuration. This is because it's my first time to use simplesamlphp

- I'm sorry if I let you believe that I was groping in my configurations .. Because for my very first problem I knew that these were issues related to self-signed certificate.

I am still reading document about cookies. 

You have already helped me a lot, therefore I would like you to tell me what I need to set in my configuration even if the problem is obvious.

I'm afraid of losing my job if at the end of this day I have no solution.

Thanks a lot.

Best regard.



2017-05-02 16:58 GMT+03:00 Jaime Perez Crespo <jaime...@uninett.no>:
Hi,
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.

rhemandaddy

unread,
May 3, 2017, 8:52:11 AM5/3/17
to SimpleSAMLphp
Hi Jaime Perez Crespo

Sorry for disturbing you about my issues.

I know how the sessions work in php but I am not an expert on cookies and since two days I am reading a lot of document about cookies.

- I am using  store.type => sql because this will prevent session conflicts between my web app and SimpleSAMLPHP

- I was not doing a randon configuration. This is because it's my first time to use simplesamlphp

- I'm sorry if I let you believe that I was groping in my configurations .. Because for my very first problem I knew that these were issues related to self-signed certificate.

I am still reading document about cookies. 

You have already helped me a lot, therefore I would like you to tell me what I need to set in my configuration even if the problem is obvious.

I'm afraid of losing my job if at the end of this day I have no solution.

Thanks a lot.

Best regard.

Reply all
Reply to author
Forward
0 new messages