2

I'm using SimpleSAMLPHP and have successfully set up > 40 SSO connections. Just recently, one of my SSO connections started throwing the following error when users were authenticating:

Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: SimpleSAML_Error_Exception: Could not find the metadata of an IdP with entity ID 'urn:company.com:spfed:1.0:entityid:MANPROD:test'
Backtrace:
6 modules/saml/lib/Auth/Source/SP.php:134 (sspmod_saml_Auth_Source_SP::getIdPMetadata)
5 modules/saml/lib/Auth/Source/SP.php:327 (sspmod_saml_Auth_Source_SP::startSSO)
4 modules/saml/lib/Auth/Source/SP.php:430 (sspmod_saml_Auth_Source_SP::authenticate)
3 lib/SimpleSAML/Auth/Source.php:193 (SimpleSAML_Auth_Source::initLogin)
2 lib/SimpleSAML/Auth/Simple.php:147 (SimpleSAML_Auth_Simple::login)
1 modules/core/www/authenticate.php:36 (require)
0 www/module.php:135 (N/A)

My saml20-idp-remote.php file looks like the following:

$metadata['urn:company.com:spfed:1.0:entityid:MANPROD:test'] = array (
    'name' => [
        'en' => 'company1'
    ],
    'entityid' => 'urn:company.com:spfed:1.0:entityid:MANPROD:test',
    'description' => 
    array (
      'en' => 'Company 1',
    ),
    'OrganizationDisplayName' => 
    array (
      'en' => 'Company 1',
    ),
    'url' => 
    array (
      'en' => 'http://www.company.com/',
    ),
    'OrganizationURL' => 
    array (
      'en' => 'http://www.company.com/',
    ),
    'metadata-set' => 'saml20-idp-remote',
    'expire' => 1403713599,
    'sign.authnrequest' => true,
    'SingleSignOnService' => 
    array (
      0 => 
      array (
        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        'Location' => 'https://company.com/saml2sso',
      ),
    ),
    'SingleLogoutService' => 
    array (
    ),
    'ArtifactResolutionService' => 
    array (
    ),
    'NameIDFormats' => 
    array (
      0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    ),
    'keys' => 
    array (
      0 => 
      array (
        'encryption' => false,
        'signing' => true,
        'type' => 'X509Certificate',
        'X509Certificate' => '...',
      ),
    ),
  );

I should note that I'm blocking out the x509 certificate, and that the metadata was directly converted from the metadata converter.

My authsources.php file looks like this:

'company1' => [
        'saml:SP',
        'privatekey' => 'server.pem',
        'certificate' => 'server.crt',
        'entityID' => null,
        'idp' => 'urn:company.com:spfed:1.0:entityid:MANPROD:test',
        'discoURL' => null,
],

You can clearly see my $metadata key matches the entityid and the authsources idp as per the instructions.

What's even more strange is when I go to a list of my IdPs, the company1 idp doesn't even show up on the dropdown list, most likely because it can't find the metadata. I guess I'm wondering why isn't it finding the metadata? Is it an issue with colons and periods? Is there something weird with my metadata? I ran a php syntax checker and it found no issues in either file..

Alex
  • 2,145
  • 6
  • 36
  • 72

1 Answers1

1

Just found the bug. Turns out that if 'expire' => 1403713599, is set and is not updated, then it will throw the metadata not found error.

By commenting out the expire array index in saml20-idp-remote.php I was able to resolve this issue.

Alex
  • 2,145
  • 6
  • 36
  • 72