SimpleSamlPhp as SP redirects incorrectly

php single-sign-on saml saml-2.0 simplesamlphp
15,864

There are some possible problems with your IdP metadata. SimpleSAMLphp includes a Metadata parser which does the work of converting the IdP configuration details to the required format for SimpleSAMLphp. This functionality is mentioned briefly in the SimpleSAMLphp documentation here: https://simplesamlphp.org/docs/1.8/simplesamlphp-sp#section_2

Based on your example above you should be able to access the metadata parser at https://www.fbjni.com/simplesaml/admin/metadata-converter.php.

In your particular example above, download the OneLogin metadata from https://app.onelogin.com/saml/metadata/391645 and copy this XML into the Metadata parser in your SimpleSAMLphp installation.

Once you've converted the metadata, replace your existing IdP configuration above with the output from the Metadata parser, which should look more like this:

$metadata['https://app.onelogin.com/saml/metadata/391645'] = array (
  'entityid' => 'https://app.onelogin.com/saml/metadata/391645',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => '[email protected]',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://app.onelogin.com/trust/saml2/http-post/sso/391645',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://app.onelogin.com/trust/saml2/http-post/sso/391645',
    ),
    2 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
      'Location' => 'https://app.onelogin.com/trust/saml2/soap/sso/391645',
    ),
  ),
  'SingleLogoutService' => 
  array (
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEJjCCAw6gAwIBAgIUHyryf8tYCgBMvr2nihtEA3NFrQEwDQYJKoZIhvcNAQEF
BQAwXTELMAkGA1UEBhMCVVMxFjAUBgNVBAoMDUZhY2Vib29rIFRlc3QxFTATBgNV
BAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA0MDA1
ODAeFw0xNDAzMjYwMzA2NDNaFw0xOTAzMjcwMzA2NDNaMF0xCzAJBgNVBAYTAlVT
MRYwFAYDVQQKDA1GYWNlYm9vayBUZXN0MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAx
HzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNDAwNTgwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDjmCU+PbTPgsjgffG2cqTBzVTYOx80L07ZO2tGaqry
oCXJctP9fEcFleamose/+mg052wxStd84FpHwa2JC7sbHNeMIaBbA3b1XzFgNVJy
D2KjJK17ftYTm8EprtDPuCiMyHI3P2XGuz+i9BonxhUodgITa9FELqKAJU1GKtsJ
r4saGVlpYZgU9InYlGNohdkFfkbPSRiUeQoRhKYtYmM74maL7aGdXvSyXmUaa+n6
rl6MTMUCJj8tfs2CwqT1Ktc1wZTBRWUXcxi/02IP9AVXghhLcE1ES1tFV58FsvNN
Dtpigg9PFnRwAoC0HSMVEYh3VBx+TROqyGmM74i1yJGvAgMBAAGjgd0wgdowDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQU11p7PgInyRe7dHHUQMrbBfka8+cwgZoGA1Ud
IwSBkjCBj4AU11p7PgInyRe7dHHUQMrbBfka8+ehYaRfMF0xCzAJBgNVBAYTAlVT
MRYwFAYDVQQKDA1GYWNlYm9vayBUZXN0MRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAx
HzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNDAwNTiCFB8q8n/LWAoATL69p4ob
RANzRa0BMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAv9Cwtv6V
ov6heh5b/u+hsFk9Lhva/jzOgbYAblWxDTgsvcehbYeZSO3XTqq5I3qx9XCqet4a
FdUetFMPk/cpcl9GahHhagvScn+ClbHVnrakRt/1/oDcrxi+6l+GT7yzg7MPoj6C
AIjmVdPhbWRiU3on6PkG95pfDq/hasCTHS3kVUJlv+Ge2rdiiIyVJmlak24UQVuN
2DznvY5jlUOIXXtCTLttu7YY5z9V0pSa0MdWDL3/mokGIjydR2DdHfkgyk2syjny
4+9ohie+oLKz1rv9OcAv+90WAYaltDoTSMYSG9W2rjeDh2NHYFuWxXOi08FPZfXo
DFLPLA0yYeSkFA==',
    ),
  ),
);

Additionally you should make some changes to your authsources.php configuration. The 'entityID' of your SP is typically the URL of your application, not the identifier of your chosen IdP. You can specify a default IdP for the SP as seen below:

'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://www.fbjni.com/',
    'RelayState' => 'https://www.fbjni.com/',
    'idp' => 'https://app.onelogin.com/saml/metadata/391645'
),
Share:
15,864
Ben Green
Author by

Ben Green

Updated on June 15, 2022

Comments

  • Ben Green
    Ben Green almost 2 years

    I have a SimpleSamlPHP implementation working as a Service Provider, so the workflow is as follows:

    IdP sends assertion to my ACS URL:

    /simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

    but then it looks like he authenticates and gets redirected to

    /simplesaml/module.php/saml/sp/saml2-acs.php

    which throws an error, as there is no authsource (the /default-sp part) specified:

    SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 *\simplesamlphp\www\module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: No authentication source with id false found.
    Backtrace:
    2 *\simplesamlphp\lib\SimpleSAML\Auth\Source.php:242 (SimpleSAML_Auth_Source::getById)
    1 *\simplesamlphp\modules\saml\www\sp\saml2-acs.php:8 (require)
    0 *\simplesamlphp\www\module.php:135 (N/A)

    But, it also has a set of PHP errors output to page too:

    Warning: array_key_exists(): The first argument should be either a string or an integer in *\simplesamlphp\lib\SimpleSAML\Configuration.php on line 314 
Warning: Cannot modify header information - headers already sent by (output started at *\simplesamlphp\lib\SimpleSAML\Configuration.php:314) in *\simplesamlphp\lib\SimpleSAML\Error\Error.php on line 191 
Warning: Cannot modify header information - headers already sent by (output started at *\simplesamlphp\lib\SimpleSAML\Configuration.php:314) in *\simplesamlphp\templates\includes\header.php on line 40

    (I've taken out the directory path and replaced with * - it's not that normally)

    I can't work out if it's a bug with SimpleSamlPHP or if it's (far more likely) an incorrect setup. My authsources and metadata is as follows:

    saml20-idp-remote.php:

    $metadata['https://app.onelogin.com/saml/metadata/391645'] = array(
    'name' => 'FSSO',
    'SingleSignOnService' => 'https://app.onelogin.com/trust/saml2/http-post/sso/391645',
    'AssertionConsumerservice' => 'https://www.fbjni.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
    'SingleLogoutService' => 'https://www.fbjni.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
    'certData'          => '[rawCertificateData]'
);

    authsources.php:

    'default-sp' => array(
    'saml:SP',
    'RelayState' => 'https://www.fbjni.com/',
    'entityID' => 'https://app.onelogin.com/saml/metadata/391645',
),

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SimpleSAMLphp Unable to validate Signature error
Steps to implement SSO for php application
How to decode SAML Response and get the attribute values sent by Idp in PHP
Simplesamlphp unhandled exception error while using as SP
SAML based SSO with Laravel
What is the correct format for SAML 2.0 Assertions?
Getting Started with SAML and PHP
What is exactly RelayState parameter used in SSO (Ex. SAML)?
single sign on (sso) laravel
What is the purpose of SAML 2 Subject Name Identifier?