Login/Register
"Could not find the metadata of an IdP" with drupal and simplesamlphp_auth
Asked Answered
authenticationdrupalsamlsimplesamlphp
B

4

6

I set up my SimpleSamlPhp(I have my IdP in another server) with Drupal. After logging into "http://localhost:31478/simplesaml/" as administrator, I ran "Test authentication sources" with my IdP, the screen of "SAML 2.0 SP Demo Example" screen with correct attributes was displayed. I guess it meant that SimpleSamlPhp and my Idp could see each other and were communicated properly.

However, when I tried to use Federated login with Drupal after turning on "Activate authentication via SimpleSAMLphp",I got the following error:

SimpleSAML_Error_Exception: Could not find the metadata of an IdP with entity ID 'tenant2.test.com' in sspmod_saml_Auth_Source_SP->getIdPMetadata() (line 134 of /var/www/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Auth/Source/SP.php).

SETTINGS

  • Drupal version is 8.
  • php version is 5.6.24-0.
  • simplesamlphp_auth module version is 8.x-3.0-alpha4+2-dev.
  • simplesamlphp_auth module was installed and enabled in Drupal. "Authentication source for this SP" was set to "default-sp" for simplesamlphp_auth module configuration

I have my simplesamlphp directory in /var. The following changes were made for enabling saml

/var/simplesamlphp/config/config.php


    'baseurlpath' => 'simplesaml/',
    ....
    'enable.saml20-sp'  => true,
    'enable.saml20-idp' => true,
    'enable.shib13-idp' => false,
    'enable.adfs-idp' => false,
    'enable.wsfed-sp' => false,
    'enable.authmemcookie' => false,
    ....
    'saml' => TRUE,
    ....
    ....
    'default-saml20-idp' => 'tenant2.test.com',
    ....
    'store.type'                    => 'memcache',
    ....
    ....
    'memcache_store.servers' => array(
        array(
            array('hostname' => 'localhost'),
        ),
    ),
    'memcache_store.prefix' => 'SimpleSAMLphp',
    ....
    .... 
    'trusted.url.domains' => array('localhost:31478'),

/var/simplesamlphp/config/authsources.php


    <?php
    $config = array(
        'admin' => array(
        'core:AdminPassword',
        ),

        'default-sp' => array(
            'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',       
        'entityID' => null,
        'idp' => 'tenant2.test.com',  
        'discoURL' => null,
    ),

    );

/var/simplesamlphp/metadata/saml20-idp-remote.php


    <?php
        $metadata['tenant2.test.com'] = array(
            'SingleSignOnService'  => 'https://tenant2.test.com/testSamlLogin',
            'AssertionConsumerService' => 'http://localhost:31478/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
            'SingleLogoutService'  => 'https://tenant2.test.com/admin/logout',
            'certFingerprint'      => '0a89aec59bf48e414ec050f6956891cb3f5b09a0',
        );

I have been trying to fix this problem for a few days. Did I missing anything?

Thank you.

Barbosa answered 17/8, 2016 at 22:56 Comment(1)
did you find the answer ? I am facing the same issueIntermit
N
4

Discovered this can also happen if the metadata includes an 'expire' key and the metadata is expired. Try commenting that out in your saml20-idp-remote.php metadata and seeing if you get a different error, because the error handling is skipped over.

Neighboring answered 31/8, 2018 at 22:4 Comment(1)
In case you're seeing wrong expire times in saml20-idp-remote.php and you're running on Apache mod_php, you might be suffering from following bug: github.com/simplesamlphp/simplesamlphp/issues/1708Molybdenum
C
2

This message means, the Entity ID of the Identity Provider (IdP) is incorrect and/or not found in the Metadata.

  1. Incorrect in config/authsources.php
  2. Not found in metadata/saml20-idp-remote.php

The 'entityID' listed in the authsources is referring to the Service Provider (SP). Which in your example is the 'default-sp'. Changing this 'entityID' will not solve your problem, since what would change the Entity ID the Service Provider.

The Entity ID of the Identity Provider (IdP) is specified in the 'idp' field. Your 'idp is set to 'tenant2.test.com'. This value is probably missing some information. An Identity Provider's entity ID is usually much longer. Below is an example of what you might see on the Federation Front Page of a SimpleSAMLphp Identity Provider (IdP).

SAML 2.0 IdP Metadata
Entity ID: https://samlidp.example.com/simplesaml/saml2/idp/metadata.php

I would look at your Metadata for the Identity Provider and update the 'idp' field of the authsources file to have the complete Entity ID.

The Entity ID of the Identity Provider (IdP) is also usually included in the metadata/saml20-idp-remote.php. I do not see it in your example. So I would update both the authsources and the metadata in this example.

Calf answered 15/5, 2018 at 17:35 Comment(0)
C
1

This issue is fixed, add simplesamlphp_dir in settings.php

$settings['simplesamlphp_dir'] = '/var/www/mysite/docroot/simplesaml';
Chandigarh answered 29/9, 2020 at 10:32 Comment(0)
U
0

Did you try to put tenant2.test.com in place of null for 'entityID'?

Underpart answered 26/8, 2016 at 18:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.