Ich versuche, mit SAML in meiner Web-App zu authentifizieren.Verwendung von SimpleSAML als SP und IDP für Entwicklungsumgebung
Ich folgte den IdP quick start und die SP quick start Führer Benutzer und kam Woth die Konfiguration unter up, die mit fehlschlägt:
Backtrace:
1 /app_path/application/lib/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /app_path/application/lib/simplesamlphp/lib/SAML2/Binding.php:81 (SAML2_Binding::getCurrentBinding)
1 /app_path/application/lib/simplesamlphp/modules/saml/lib/IdP/SAML2.php:266 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /app_path/application/lib/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
Setup:
- Meine App läuft lokal mit dem Host: trunk.sam.net
- Simplesaml, SP, ist in der App als Bibliothek enthalten und zugänglich unter: trunk.sam.net/s implesaml
- Simplesaml, IdP, lokal installiert ist und läuft an: auth.sam.net
Beide simplesaml verwenden tatsächlich die gleichen Code und Konfigurationsdateien (sie das gleiche Dokument Wurzel teilen)
Konfiguration:
config.php
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
authsources.php
'default-sp-trunk.sam.net' => array(
'saml:SP',
'entityID' => 'http://trunk.sam.net',
'idp' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'ssoPortalUrl'=> 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
'bkmapping' => array(
'login' => 'uid',
'eMail' => 'mail'
)
),
'example-userpass' => array(
'exampleauth:UserPass',
'shf:pwd' => array(
'uid' => array('shf'),
'eduPersonAffiliation' => array('mail', '[email protected]')
),
'shl:pwd' => array(
'uid' => array('shl')
),
),
saml20-IDP-hosted.php
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => '__DEFAULT__',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'example-userpass',
/*
* The interoperable SAML 2 profile specifies that attributes should be delivered using the urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat.
* We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration:
*/
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
);
saml20-IDP-remote.php
$metadata['http://auth.sam.net/simplesaml/saml2/idp/metadata.php'] = array (
'entityid' => 'http://auth.sam.net/simplesaml/saml2/idp/metadata.php',
'contacts' =>
array (0 =>
array (
'contactType' => 'technical',
'surName' => 'Administrator',
'emailAddress' => array (0 => '[email protected]'),
),
),
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' => array (0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SSOService.php',
),
),
'SingleLogoutService' =>
array (0 => array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'http://auth.sam.net/simplesaml/saml2/idp/SingleLogoutService.php',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (0 => array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
1 =>
array (
'encryption' => true,
'signing' => false,
'type' => 'X509Certificate',
'X509Certificate' => 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo',
),
),
);
saml20-sp-remote.php
$metadata['http://trunk.sam.net'] = array (
'AssertionConsumerService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp-trunk.sam.net',
'SingleLogoutService' => 'http://trunk.sam.net/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp-trunk.sam.net',
);
Könnte jemand zeigen Sie mir, was ich falsch gemacht habe?
Fehle ich einen Konfigurationseintrag/Datei?
Sollte ich separate SimpleSaml-Installationen verwenden?
Vielen Dank für Ihre Beratung
Der IDP authentifiziert sich gegen einen Stub (eine Textdatei, die Benutzer und Passwörter auflistet), da das gesamte Setup für Entwicklungs- und Testzwecke gedacht ist. – samo
OK - gleiche Frage - Warum brauchen Sie die SimpleSAML SP? – nzpcmad