0

I'm getting the following error when trying to connect to a webseal saml endpoint

My server is setup as an SP and I am trying to authenticate against and IDP that I have setup in saml20-idp-remote.php

The redirect works correctly but when the IDP redirects back to my SP I get the following error.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:179 (N/A)
Caused by: SimpleSAML_Error_Exception: Error validating SubjectConfirmation in Assertion:
 Recipient in SubjectConfirmationData does not match the current URL. 
Recipient is 'http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp', 
current URL is 
'http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'.
Backtrace:
3 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:684 (sspmod_saml_Message::processAssertion)
2 /mnt/www/html/livehappierstg/simplesaml/modules/saml/lib/Message.php:517 (sspmod_saml_Message::processResponse)
1 /mnt/www/html/livehappierstg/simplesaml/modules/saml/www/sp/saml2-acs.php:96 (require)
0 /mnt/www/html/livehappierstg/simplesaml/www/module.php:134 (N/A)

How do I change the recipient url in the subject confirmation data in my config files.

My config files are as follows.

'default-sp' => array(
    'saml:SP',

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => 'http://local.com/',

    // The entity ID of the IdP this should SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => 'https://example.com/federatedaccess/SSOConsume.do',

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
)

SAML2.0 Idp remote config

$metadata['https://example.com/federatedaccess/SSOConsume.do'] = array(
  'name' => array(
    'en' => 'My SSO',
  ),
  'description' => 'My single sign on webseal environment.',
  'ForceAuthn' => false,
  'IsPassive' => false,
  'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
  'SingleSignOnService' => 'https://example.com/federatedaccess/SSOConsume.do',
  'certificate' => 'pub.crt',
  'sign.authnrequest' => true,
  'redirect.sign' => true,
  'redirect.validate' => true,
);

Cheers

Daniel Harper
  • 496
  • 4
  • 19

1 Answers1

0

This is a problem with how the IdP is configured with your SP. It be should setting the Recipient in SubjectConfirmationData to http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp and is instead using http://example.com/simplesaml/module.php/saml/sp/metadata.php/default-sp (note the saml2-acs.php vs metadata.php difference in the path).

The URL the Idp is using is the URL to retrieve your SP's metadata. It seems instead of reading the metadata it is using that URL as AssertionConsumerService URL.

Patrick
  • 3,901
  • 1
  • 25
  • 30
  • This was exactly it, but unfortunatley I don't have access to configure the Idp and I have to go through a change request process. I got it changed in the end and I'm on with sorting more bugs out. – Daniel Harper Apr 26 '16 at 10:08