[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ZXID SP & SimpleSamlPHP

Dubravko Sever <Dubravko.Sever@xxxxxxx> said:
> Hi,
> I'm trying to integrate ZXID SP using SimpleSamlPHP IDP (we are not using encrypted assertion). But I can't find any useful documentation about that, and I see community is not so active (even on FAQ you said that it can be 

The right place to ask questions is  zxid.user@xxxxxxxxxxxxx
mailing list. Please join the list.

integrated). So I want to ask you do you have some kind of documentation?

What kind of documentation are you looking for? Which part of the
existing documentation did you try and why was it not helpful?

Have you tried the ZXID Book link on zxid.org web site?

Generally the easiest method is the Well Known Location method if
the IdP supports it. In this scenario you introduce the IdP's
entity ID URL to the ZXID SP user interface field for logging
in with New IdP. But before you do that, you should check if the
URL in fact delivers the SAML metadata. During the first login,
the IdP then fetches the SP metadata from SP's entityID URL.
It is all automatic, described in SAML specs, and works like a
marvel if both sides support it.

If that does not work, you can import the IdP metadata to ZXID SP
using the zxcot tool (see zxcot -h for documentation), e.g:

./zxcot -a <idp-metadata.xml

How you would introduce the IdP metadata to SimpleSAMLPHP should
be described in their documentation and quite frankly I do not
remember other than that it did not follow any standard method
like Well Known Location.

You can always produce the ZXID SP metadata either by accessing
the entity ID URL, such as https://yourdomain.com/protected/saml?o=B
(actual URL depends on your configuration - in default IdP selection
page the URL is provided as a link you can just click) or by
running zxcot -m

> And at the begining i've stuck with error of broken XML SAML request...
> I get this in SAML tracer:
> <parsererror>
>     <sourcetext><sp:AuthnRequest xmlns:sp=&qout;urn:oasis:names:tc:SAML:2.0:protocol&qout; Destination=&qout;https://XXXXXX/SSOService.php&qout; ID=&qout;Ngf6niyTEF-mPZXDszFgCrN1I&qout; IssueInstant=&qout;2012-11-05T10:59:41Z&qout; ProviderName=&qout;&qout;VPS&qout;&qout; Version=&qout;2.0&qout;><sa:Issuer xmlns:sa=&qout;urn:oasis:names:tc:SAML:2.0:assertion&qout;>1</sa:Issuer><sp:NameIDPolicy AllowCreate=&qout;1&qout; Format=&qout;urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&qout;></sp:NameIDPolicy></sp:AuthnRequest>
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------^</sourcetext>
> </parsererror>
> I'm using last version od mod_auth_saml, Centos 5.8.

Last meaning 1.05?

The message you quote is from SimpleSAMLPHP IdP side, I presume. Which
version of SimpleSAMLPHP?

It seems the message is somehow garbled by HTML entity quoting. In normal
XML message there should not be any entity quoting whatsoever. In your
case even the quoting seems to be done wrong in that double quote
should correspond to &quot; (ampersand followed by letters q-u-o-t and
semicolon) while your message has &qout; (ampersand followed by letters
q-o-u-t and semicolon).

The sp:AuthnRequest@ProviderName XML attribute seems to use quadruple
quoting. Surely this is some sort of config error.

Apart from this I can not see any invalid XML in the message.

I think you need to describe the whole setup, including what web server
you are using in each end and how you obtained the error message dump.
Somewhere in that chain there is some evil piece of code that introduces
the HTML entity quoting and I can assure you it is not ZXID.


> Thanks in advance
> Dubravko
> -- 
> Dubravko Sever