2

We are trying to set up simpleSAMLphp to SSO against Azure AD, to use with a MediaWiki installation.

Desired situation:
When someone logs into MediaWiki, that person should be redirected to Azure AD. Next, the user shoud fill in his credentials and be redirected to the wiki.

Current situation:
I followed the steps as described here: https://medium.com/vivritiengineering/mediawiki-and-azure-single-sign-on-e3fbc13d1f46

SimpleSAMLphp is set up on an on-premise Debian server.
Config.php and authsources.php are set up for Azure and our tenant .

We created an app in Azure and filled in 2 reply-URI's:

  • https://ourSite/simplesaml/module.php/core/authenticate.php?as=default-sp
  • https://ourSite/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Problem:
In Firefox and Safari everything works: I go to "Test Configured Authentication Sources" - "default-sp".
Next I'm presented with a Microsoft loginpage. After logging in with my account, simpleSAMLphp shows me my metadata. As expected.

In Chrome and Edge, when going to 'Test configured authentication sources - default-sp' the page gets stuck in a redirect loop:

What I tried:

  1. Clearing my cache and cookies.
    Result: I'm presented the Microsoft login screen, but after submitting my credentials I get stuck in the loop.
  2. Changing store.type in simpleSAMLphp from "phpSession" to "SQL" (tried both SQLite and MySQL).
    Result: still works in Firefox and Safari. Loop in Chrome/Edge.
  3. New application in Azure AD, same result
  4. Different settings in simpleSAMLphp config.php
    Result: sometimes broke simpleSAML, mostly same result as above.

I'm new with simpleSAMLphp and after a few days of trial-and-error I'm out of ideas (besides just abandoning simpleSAML and trying to switch to LDAP)
It seems to be browser/cookie/cache related.

Thanks for any help in advance!

Sven Vanwalleghem
  • 31
  • 3
  • 1
    In `config.php` check if 'session.cookie.samesite' is set, and if not set it => 'None' Chrome requires it for cross site cookies to be posted, which may be your issue. Otherwise it seems like a cookie is getting lost in Edge and Chrome. You may need to use browser develop tools to snoop traffics and see when the SSP session cookie gets lost. – Patrick Feb 04 '21 at 02:15
  • Solved by reinstalling simpleSAMLphp. and completly redo the configuration. Checked old and new conifg, but I can't see a difference. I did revert from simpleSAMLphp-v1.19.0 to simpleSAMLphp-v.1.18.8, but I'm hesitant to say that was the cause – Sven Vanwalleghem Feb 04 '21 at 15:20
  • It seems that this bug report refers to the issue: https://github.com/simplesamlphp/simplesamlphp/issues/1444 - and it further seems that the samesite-cookie settings are the key. – BurninLeo Oct 26 '21 at 20:36

1 Answers1

1

Solved by reinstalling simpleSAMLphp and completly redo the configuration. Checked old and new conifg, but I can't see a difference.

I did revert from simpleSAMLphp-v1.19.0 to simpleSAMLphp-v.1.18.8, but I'm hesitant to say that was the cause.

Sven Vanwalleghem
  • 31
  • 3