Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid array settings: idp_sso_url_invalid, idp_slo_url_invalid #77

Open
bunlongheng opened this issue Mar 13, 2017 · 1 comment
Open

Invalid array settings: idp_sso_url_invalid, idp_slo_url_invalid #77

bunlongheng opened this issue Mar 13, 2017 · 1 comment

Comments

@bunlongheng
Copy link

I kept getting this error

OneLogin_Saml2_Error in Settings.php line 121:
Invalid array settings: idp_sso_url_invalid, idp_slo_url_invalid

and here is my settings

`<?php

//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_host = 'https://identityfederation.uat.connect.company/fed/idp';

return $settings = array(

/**
 * If 'useRoutes' is set to true, the package defines five new routes:
 *
 *    Method | URI                      | Name
 *    -------|--------------------------|------------------
 *    POST   | {routesPrefix}/acs       | saml_acs
 *    GET    | {routesPrefix}/login     | saml_login
 *    GET    | {routesPrefix}/logout    | saml_logout
 *    GET    | {routesPrefix}/metadata  | saml_metadata
 *    GET    | {routesPrefix}/sls       | saml_sls
 */
'useRoutes' => true,

'routesPrefix' => '/samlv20',

/**
 * which middleware group to use for the saml routes
 * Laravel 5.2 will need a group which includes StartSession
 */
'routesMiddleware' => [],

/**
 * Indicates how the parameters will be
 * retrieved from the sls request for signature validation
 */
'retrieveParametersFromServer' => false,

/**
 * Where to redirect after logout
 */
'logoutRoute' => '/',

/**
 * Where to redirect after login if no other option was provided
 */
'loginRoute' => '/admin/dashboard',


/**
 * Where to redirect after login if no other option was provided
 */
'errorRoute' => '/',




/*****
 * One Login Settings
 */



// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true, //@todo: make this depend on laravel config

// Enable debug mode (to print errors)
'debug' => false, //@todo: make this depend on laravel config

// Service Provider Data that we are deploying
'sp' => array(

    // Specifies constraints on the name identifier to be used to
    // represent the requested subject.
    // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

    // Usually x509cert and privateKey of the SP are provided by files placed at
    // the certs folder. But we can also provide them with the following parameters
    'x509cert' => '/benudata/certificates/testserver.benunets.com.cert.pem',
    'privateKey' => '/benudata/certificates/testserver.benunets.com.key.pem',

    // Identifier (URI) of the SP entity.
    // Leave blank to use the 'saml_metadata' route.
    'entityId' => 'testserver.benunets.com',

    // Specifies info about where and how the <AuthnResponse> message MUST be
    // returned to the requester, in this case our SP.
    'assertionConsumerService' => array(
        // URL Location where the <Response> from the IdP will be returned,
        // using HTTP-POST binding.
        // Leave blank to use the 'saml_acs' route
        'url' => 'https://testserver.benunets.com/admin/secure/dashboard',
    ),
    // Specifies info about where and how the <Logout Response> message MUST be
    // returned to the requester, in this case our SP.
    'singleLogoutService' => array(
        // URL Location where the <Response> from the IdP will be returned,
        // using HTTP-Redirect binding.
        // Leave blank to use the 'saml_sls' route
        'url' => 'https://testserver.benunets.com/admin/login/error',
    ),
),

// Identity Provider Data that we want connect with our SP
'idp' => array(
    // Identifier of the IdP entity  (must be a URI)
    'entityId' => 'Telenet',
    // SSO endpoint info of the IdP. (Authentication Request protocol)
    'singleSignOnService' => array(
        // URL Target of the IdP where the SP will send the Authentication Request Message,
        // using HTTP-Redirect binding.
        'url' => 'https://identityfederation.uat.connect.company/fed/idp/samlv20',
    ),
    // SLO endpoint info of the IdP.
    'singleLogoutService' => array(
        // URL Location of the IdP where the SP will send the SLO Request,
        // using HTTP-Redirect binding.
        'url' => 'https://identityfederation.uat.connect.company/fed/idp/samlv20',
    ),
    // Public x509 certificate of the IdP
    'x509cert' => '****',
    /*
     *  Instead of use the whole x509cert you can use a fingerprint
     *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
     */
    // 'certFingerprint' => 'Telenet need to provided',
),



/***
 *
 *  OneLogin advanced settings
 *
 *
 */
// Security settings
'security' => array(

    /** signatures and encryptions offered */

    // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
    // will be encrypted.
    'nameIdEncrypted' => false,

    // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
    // will be signed.              [The Metadata of the SP will offer this info]
    'authnRequestsSigned' => false,

    // Indicates whether the <samlp:logoutRequest> messages sent by this SP
    // will be signed.
    'logoutRequestSigned' => false,

    // Indicates whether the <samlp:logoutResponse> messages sent by this SP
    // will be signed.
    'logoutResponseSigned' => false,

    /* Sign the Metadata
     False || True (use sp certs) || array (
                                                keyFileName => 'metadata.key',
                                                certFileName => 'metadata.crt'
                                            )
    */
    'signMetadata' => false,


    /** signatures and encryptions required **/

    // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
    // <samlp:LogoutResponse> elements received by this SP to be signed.
    'wantMessagesSigned' => false,

    // Indicates a requirement for the <saml:Assertion> elements received by
    // this SP to be signed.        [The Metadata of the SP will offer this info]
    'wantAssertionsSigned' => false,

    // Indicates a requirement for the NameID received by
    // this SP to be encrypted.
    'wantNameIdEncrypted' => false,

    // Authentication context.
    // Set to false and no AuthContext will be sent in the AuthNRequest,
    // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
    // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
    'requestedAuthnContext' => true,
),

// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array(
    'technical' => array(
        'givenName' => 'name',
        'emailAddress' => 'no@reply.com'
    ),
    'support' => array(
        'givenName' => 'Support',
        'emailAddress' => 'no@reply.com'
    ),
),

// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array(
    'en-US' => array(
        'name' => 'Name',
        'displayname' => 'Display Name',
        'url' => 'http://url'
    ),
),

/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current

'authnRequestsSigned' => false, // SP SHOULD NOT sign the samlp:AuthnRequest,
// MUST NOT assume that the IdP validates the sign
'wantAssertionsSigned' => true,
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
'wantNameIdEncrypted' => false,
*/

);
`

How can I prevent that ?
@bunlongheng bunlongheng changed the title OneLogin_Saml2_Error in Settings.php line 121: Invalid array settings: idp_sso_url_invalid, idp_slo_url_invalid Invalid array settings: idp_sso_url_invalid, idp_slo_url_invalid Mar 13, 2017
@bunlongheng bunlongheng mentioned this issue Mar 13, 2017
Open
@peetersdiet
Copy link

I guess it's not really relevant anymore, so I'll just leave this comment for future reference.

I see your config is not correct in at least one way: you cannot set the the certificate/privatekeys as filereferences. You need to specify the actual contents of the cert/key. If you do want to reference files, you can incoorporate PR #104 into your codebase (untill it gets merged).

Btw.: I see you did not scrub your example thoroughly enough. There is still a reference (idp > entityId) to which company you're trying to connect. Not that it's harmfull, if the info is not confidential. Just a heads up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peetersdiet @bunlongheng