i have two simplesamlphp servers set up, they are both on the same physical server but separated by virtualhost. they are currently at the domains.
id.saml.domain.com <- Identity provider
sp.saml.domain.com <- Service provider
I also have a third site, the webs application that i actually intend to implement single sign on at. we'll call that
test.domain.com/webapplication
i have the service provider and the identity provider talking to each other using example-auth. i can go to the service provider, click 'test authentication sources', get sent to the identity server, and then get a login prompt, enter the example credentials, click submit, and get sent back to the service provider.
at this point, everything looks good.
my problem is, when i try to implement the service provider in the website.
i have the following login code in place to call the service provider code
$lib = "/ltsites/saml/service/lib";
$sp = "default-sp"; // Name of SP defined in config/authsources.php
try {
// Autoload simplesamlphp classes.
if(!file_exists("{$lib}/_autoload.php")) {
throw(new Exception("simpleSAMLphp lib loader file does not exist: ".
"{$lib}/_autoload.php"));
}
include_once("{$lib}/_autoload.php");
$as = new SimpleSAML_Auth_Simple($sp);
// Take the user to IdP and authenticate.
$as->requireAuth();
$valid_saml_session = $as->isAuthenticated();
} catch (Exception $e) {
// SimpleSAMLphp is not configured correctly.
throw(new Exception("SSO authentication failed: ". $e->getMessage()));
return;
}
if (!$valid_saml_session) {
// Not valid session. Redirect a user to Identity Provider
try {
$as = new SimpleSAML_Auth_Simple($sp);
$as->requireAuth();
} catch (Exception $e) {
// SimpleSAMLphp is not configured correctly.
throw(new Exception("SSO authentication failed: ". $e->getMessage()));
return;
}
}
// At this point, the user is authenticated by the Identity Provider, and has access
// to the attributes received with SAML assertion.
$attributes = $as->getAttributes();
it does forward me all the way to the identity server and asks for credentials. but upon returning to the service provider i get the error
State information lost
SimpleSAML_Error_NoState: NOSTATE
i found this wiki page https://code.google.com/p/simplesamlphp/wiki/LostState, but nothing i did after reading it (like changing the 'session.cookie.domain' in config\config.php, which just sent the pages into an infinite refresh loop) worked
does anyone have any ideas? did i set it up incorrectly? i'm thinking maybe the web application itself has to be the service provider? i.e. test.domain.com/webapplication/simplesaml/ so that the two are on the same domain?
