CODEWITHSUNDEEP
phpsamlsimplesamlphp
Jaydp
Jaydp

Reputation: 1039

SimplesamlPHP infinite redirection

I'd setup simplesamlphp to my localhost as a 3 different virtual host.

1. http://idp-saml.com
2. http://sp-saml.com
3. http://api-saml.com

When I tried to connect idp-saml.com using sp-saml.com then it works fine.

Now, I want to integrate it with my own application api-saml.com.

For that, I'd follow the below steps:

  1. Create "authsouce" to sp-saml.com on 'authsources.php'. 'sp1' => array( 'saml:SP', 'privatekey' => 'sp-saml.pem', 'certificate' => 'sp-saml.crt', 'entityID' => 'http://api-saml.com', 'idp' => 'http://idp-saml.com', )

  2. Now, go to the Federation page and click on "SP1" metadata and copy SAML 2.0 Metadata XML

  3. Then go to idp-saml.com and open metadata-converter.php and parse SAML 2.0 Metadata XML.

  4. Copy both shib13-sp-remote and saml20-sp-remote to metadata\shib13-sp-remote.php and metadata\saml20-sp-remote.php on idp-saml.com virtual host and I can see api-saml.com under federation tab under SAML 2.0 SP Metadata (Trusted) section.

https://www.screencast.com/t/424rmDxRlRfV

  1. Now, Go to api-saml.com directory and create index.php and add below code

require_once('sp-saml/lib/_autoload.php');

$saml_auth = new SimpleSAML_Auth_Simple('sp1');

if ($saml_auth->isAuthenticated()) {
    $attributes = $saml_auth->getAttributes();    
    var_dump($attributes);    
}
else {
    $saml_auth->requireAuth();
}
  1. Now, tried to access http://api-saml.com and it goes to idp-saml.com and ask me for login credentials. After adding credentials it does not redirect back me to api-saml.com and behave like infinite redirection. You can see https://www.screencast.com/t/VGhDHE1j

Upvotes: 3

Views: 1860

Answers (1)

Patrick
Patrick

Reputation: 3981

You app and the authsource SP metadata should be on the same domain. Your steps 1 and 2 should download the metadata from http://api-saml.com/simplesaml/... rather than from a domain that is distinct from your app.

The SP metadata contains information on authorized Assertion Consumer Service (ACS) urls - and the metadata you are generating and then loading into the IdP only lists paths under http://sp-saml.com as a legitimate return urls. When you attempt to use the authsource from a different domain then the IdP see an unauthorized return url, ignores it and instead uses the one from the metadata which isn't want you want.

Upvotes: 1

Related Questions