0

I've currently got a simplesamlphp installation as a service provider on a CentOS server. I have the config/authsources.php defined as follows:

'default-sp' => array(
    'saml:SP',
    'entityID' => null,

When I access the /saml/ url via https and navigate to the 'Federation' tab, ie: https://my.sp/saml/module.php/core/frontpage_federation.php

I notice that the Entity ID returned is 'http' rather than 'https' (I would expect this to be https). It shows the following:

SAML 2.0 SP Metadata
Entity ID: http://my.sp/saml/module.php/saml/sp/metadata.php/default-sp
default-sp
[ Show metadata ]

When I then click the 'Show metadata' link to access the URL https://my.sp/saml/module.php/saml/sp/metadata.php/default-sp?output=xhtml (noting that url is correctly https), the metadata XML again is returning unexpected 'http' urls rather than 'https' urls for the entityID and the Locations. Note the following excerpt from the XML:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://my.sp/saml/module.php/saml/sp/metadata.php/default-sp">
    -- SNIP --
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://my.sp/saml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://my.sp/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://my.sp/saml/module.php/saml/sp/saml1-acs.php/default-sp" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://my.sp/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://my.sp/saml/module.php/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

This is seemingly causing issues when sharing metadata with the remote IdP. So my question is, why is it returning http rather than https, and is there a way I can resolve this? I have chosen not to hardcode the entityID as I have 2 separate subdomains accessing the single SP, so thought it made sense to allow the currently used url to dictate this (this has worked for other installations). Any help would be appreciated.

Manachi
  • 1,027
  • 16
  • 30

3 Answers3

1

Your Entity ID should be https:// in /apps/simplesamlphp/config/authsources.php and the reason why metadata XML again is returning unexpected http urls rather than https urls for the entityID in the Locations is because you may not have generated certificates, you will have to Create a self-signed certificate in the cert/ directory, if not created..

I had the same situation while using auth_saml2 plugin in moodle. When I installed and configured simpleSAML php in my Centos by following the link https://simplesamlphp.org/docs/stable/simplesamlphp-sp the Federation tab was showing the SP metadata returned me https:// however when I used the same plugin for moodle application, the SP metadata was returning http:// rather than https:// so I regenerated the Certificate from the auth_saml2 plugin, and than the SP metadata returned me https

Igor Drozdov
  • 14,690
  • 5
  • 37
  • 53
SandY
  • 26
  • 3
1

FYI - the entityID may look like a URL, but its not. Its simply an identifier. So http vs https should have absolutely no effect on the end user experience. You can have an entityId of just about any String you want. SimpleSamlPHP is generating the entityID for you because your metadata file specifies a dynamic entityID. This makes SSP generate an entityID based on a number of things about the request and the auth source ID. I would recommend using a static entityID. If the request used to generate the metadata accesses your server via a different scheme (http vs https) or name (DNS name vs IP address vs alias), the entityID in the metadata will be different and your SAML interaction may not work as expected.

Bobby Lawrence
  • 106
  • 1
  • 6
1

I was able to fix this by ensuring that 'baseurlpath' in config.php is HTTPS.

Sibil
  • 107
  • 8