Simplesamlphp IdP redirect to wrong url after logged in

Question

I'm trying to set up a web application (just an index.php file for now) where users can only use it if they are logged in via the Microsoft Azure idp. When a user reaches this page, it redirects him to the Microsoft login page. So far no problem, it works. But once logged in, I would like the user to be redirected to my index.php page but currently the redirection is to https://my-web-site.com/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp with a page not found error. I don't understand how/where to change this redirection url.

I have filled in the following information:

• metadata/saml20-idp-remote.php: metadatas from AzureAD
• config/config.php: baseurlpath, technicalcontact_name, technicalcontact_email, secretsalt and auth.adminpassword
• config/authsources.php: entityID to https://my-web-site.com/. idp set to the url found in metadata. NameIDFormat set to 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' (found this on a tuto, don't really understand what it means). simplesaml.nameidattribute set to 'eduPersonTargetedID' (same as last)

The server I'm working on run with nginx and I don't have permission to modify the configuration. So I didn't make the step 6 in the doc for installing simplesamlphp.

My index.php is juste the same as the example in doc:

require_once('simplesaml/lib/_autoload.php');
$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
print_r($attributes);

I though it was an ACS redirection, so in authsources.php within 'default-sp' I added:

'AssertionConsumerService' => 'https://my-web-site/',

But nothing changed.

The SimpleSAMLphp installation page at https://my-web-site.com/simplesaml/www/ is only partially working. All the frontpage_*.php are working but functionality send me either to 403 Forbidden or Page not found like:

• XML to SimpleSAMLphp metadata converter give 403 Forbidden
• [ Show metadata ] give Page not found: The given page was not found. The reason was: The module 'default-sp' was either not found, or wasn't enabled. The URL was: https://my-web-site.com/simplesaml/www/module.php/saml/sp/metadata.php/default-sp?output=xhtml (I think that's because I'm not logged in as Admin?)
• Login as administrator give 403 Forbidden

PS: I convert the XML of my idp to SimpleSAMLphp metadata from a local Wamp installation of SimpleSAMLphp since this function doesn't work on my web site.

How can I change the redirection after logged in Microsoft Azure ? I've been looking for several days, but I can't find a solution. Did I miss something or is it not possible without change of nginx configuration ?

Help will be very much appreciated (before it drives me crazy ;)), Thanks.

Answer 1

You do not need to change that URL (the AssertionConsumerService), but instead you need to find out why it's not served correctly by your Apache installation. So it's more an Apache question, I think? Maybe the Apache error log has some clues as to why it doesn't serve SimpleSAMLphp's URLs.

As for the endless loop, I would investigate whether you set the SameSite options of SimpleSAMLphp correctly. The documentation has more information on that.

Answer 2

I had the same issue, and I found that adding the parameter ?url=1 to the Relay State URL can break the loop:

authsources.php

    'discoURL' => null,
    'RelayState' => 'https://example.org/saml_login?url=1',

Also, you can update your caching settings by adding the private directive:

lib/SimpleSAML/Utils/HTTP.php

    if (!headers_sent()) {
        // set the location header
        header('Location: ' . $url, true, $code);

        // disable caching of this response
        header('Pragma: no-cache');
        header('Cache-Control: private, no-cache, no-store, must-revalidate');
    }