Authsource must be of type saml:SP. #1938
Comments
|
I have created an issue on the SSP project to ask for guidance. I see it as well if I configure to use an auth source directly instead of a saml:SP in authsources.php |
|
I don't know much about saml. I would just like to authorize Filesender users with our Active Directory. With simplesamlphp v1.19.9 I configured LDAP IDp authsource and called it within filesender config. With simplesamlphp v2.2.2 this is not posible anymore. If I understand correctly I should define SP authsource in simplesamlphp? My question is how should I configure simplesamlphp v2.2.2 as Service Provider for our Active Directory? Could you give me a hint, or even better point me to the tutorial how to do it? |
|
I am still coming up to speed on SAML so this is only for your entertainment rather than explicit knowledge of how it should be done... In the SSP 1.x days I too was just authenticating directly with an authsource for local development purposes. Loosely the Service Provider (SP) is the application that wants to authenticate users and the IdP (Identity Provider) knows how to authenticate that a person is who they claim to be. So in this case FileSender is the SP. You can setup SSP as a Service Provider (SP) following this part of the docs https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html Then you can add an IdP (Identity Provider) using these docs https://simplesamlphp.org/docs/stable/simplesamlphp-idp It is the identity provider that should be using an authsource such as at https://simplesamlphp.org/docs/stable/simplesamlphp-idp#configuring-the-authentication-module A bit lower in the page you can see the IdP linked with the authsource IIRC there was something about not using the same SSP install as both SP and IdP but I am failing to find that reference again right now. It is worth double checking that. There is an explicit mention that the hostname should be different between SP and IdP here https://simplesamlphp.org/docs/stable/simplesamlphp-idp#testing-the-idp You will also have to exchange metadata between your SP and IdP and setup the keys etc to allow them to sign and verify their assertions. The ssp/admin page is your friend. Not only to see what the metadata and configuration is looking like but to also run a test login session. I have a test configuration where FileSender points at My filesender config/config.php has parts like the following. In this case I am digging out the uid and email explicitly from the returned information. You can see those keys from the admin/ page in the test login for the default-sp if you need to adjust. |
|
in my test environment i run two different SSPs one is the SP much like we would run in production the other is an idp which does its own auth (eg LDAP, sql, etc). I then "register" the idp on the SP. Can it be done a cleaner way? Maybe, but this aligns better with how our production is without adding extra configs to the SP |
|
In the past I was happy to just hit and authsource directly in my dev machine. I always thought real deployments would have big iron setups and proper configurations :) |
|
Another option might be to use some docker stuff to help with the SP/IdP separation. So the SSP for FileSender would be configured as an SP and the docker image would provide your IdP. |
I came to the point where I must exchange metadata between SP and IdP. The simplesamlphp documentation, doesn't tell where to put the SP metadata on IDP host.
If I put them in saml20-sp-remote.php file I get this error: SimpleSAML\Error\MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => 'MySP') when I try to test authentication on SP host. |
|
I succesfuly manged to implement SimpleSAMLphp v 2.2.2 as SP for KeyCloak as IdP. |
Hello i have working Filesender installation. Which works with simplesamlphp v1.9.9. But when I upgrade to simplesamlphp v2.2.2. If I authenticate in simplesamlphp with my ldap I can work in filesender. But if I logout or logon directly I get thdi error from simplesamlphp:
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
2 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
1 vendor/symfony/error-handler/ErrorHandler.php:535 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: SimpleSAML\Error\Exception: Authsource must be of type saml:SP.
Backtrace:
5 modules/saml/src/Controller/ServiceProvider.php:112 (SimpleSAML\Module\saml\Controller\ServiceProvider::login)
4 vendor/symfony/http-kernel/HttpKernel.php:181 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 vendor/symfony/http-kernel/HttpKernel.php:76 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 vendor/symfony/http-kernel/Kernel.php:197 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)
I assume, that my filesender configuration isn't valid, this parameter are in config.php
$config['auth_sp_saml_simplesamlphp_url'] ='https://xxx.xxx.si/simplesaml/'; // Url of simplesamlphp
$config['auth_sp_saml_simplesamlphp_location'] ='/opt/filesender/simplesaml/'; // Location of simplesamlphp libraries
$config['auth_sp_saml_uid_attribute'] = 'sAMAccountName';
$config['auth_sp_saml_authentication_source'] = 'example-ldap';
The text was updated successfully, but these errors were encountered: