multi idp configuration issue
natewallis opened this issue · comments
The default multi IDP config for 0.8 works fine, however, when I modify to my custom server names, I am still using the docker image specified in samly_howto which uses SimpleSaml.
The host I am trying to run from is: federation.mannequin.localhost
I have modified the saml20-sp-remote.php to contain the following:
<?php
$metadata['http://federation.mannequin.localhost:4000/sso/sp/metadata'] = array(
'name' => 'samly_howto',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
'simplesaml.nameidattribute' => 'uid',
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
'AssertionConsumerService' => 'http://federation.mannequin.localhost:4000/sso/sp/consume',
'SingleLogoutService' => array(
0 => array(
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'http://federation.mannequin.localhost:4000/sso/sp/logout',
),
),
'sign.logout' => true,
'validate.authnrequest' => true,
/* 'validate.logout' => true, */
'certificate' => 'sp/federation_mannequin_localhost/sp.crt',
);
Here are the development certificates I am using. Please note, that while the zip contains a file title mannequin_localhost.crt, I am renaming it when moving it to the SimpleSaml /setup/sp/federation_mannequin_localhost/ folder as sp.crt
Here is my config in my phoenix project:
config :samly, Samly.Provider,
idp_id_from: :subdomain,
service_providers: [
%{
id: "mannequin",
#entity_id: "urn:my-host:my-id",
certfile: "auth/mannequin_localhost.crt",
keyfile: "auth/mannequin_localhost.pem",
contact_name: "Samly Howto SP1 Admin",
contact_email: "sp1-admin@samly.howto",
org_name: "Samly Howto SP1",
org_displayname: "Samly Howto SP1 Displayname",
org_url: "http://mannequin.localhost:4000"
},
],
identity_providers: [
%{
id: "federation",
sp_id: "mannequin",
base_url: "http://federation.mannequin.localhost:4000/sso",
metadata_file: "auth/idp_metadata.xml",
#pre_session_create_pipeline: SamlyHowtoWeb.Plugs.SamlyPipeline,
#use_redirect_for_req: true,
#sign_requests: true,
#sign_metadata: true,
#signed_assertion_in_resp: true,
#signed_envelopes_in_resp: true
}
]
Any ideas what might be going on? Here is the error received in SimpleSaml..
I have debugged this to make sure its picking up my SP metadata in SimpleSaml. But couldn't quite figure out where the unhandled exception was being thrown. I haven't changed any other SimpleSaml config.
Are you using the latest samly_simplesaml? If so, there is no need to modify the saml20-sp-remote.php
directly. The setup/params/params.yml
should be modified appropriately and docker-compose restarted.
Check the logs:
docker-compose logs setup
docker-compose exec idp sh
cat /tmp/simplesamlphp.log
BTW, not related to this issue, SimpleSAMLPhp released a new version. If you want to move to that, you might want to run ./build.sh
to create a new docker image (after removing the current images).
Thanks..
All worked as soon as I used the YAML config file. Not sure what I did to blow it up, but I'll stick with that for now.
Updated the migration instructions with an item covering samly_simplesaml
.
The templates in the samly_simplesaml
are setup to how samlly_howto
expects
the configuration to be.
Closing this.