SimpleSAMLphp State Information getting lost

C

2

32

I have a Service Provider set up at https://biz.dev.originsystems.co.za. I have an IdP set up at http://stage.originsystems.co.za.

When testing the authentication with the tool at https://biz.dev.originsystems.co.za/simplesaml/module.php/core/authenticate.php, everything works fine. It comes back to the Dev site with the required attributes and all is happy and joyful.

However, when I attempt to actually hit the IdP in code on https://biz.dev.originsystems.co.za, I am redirected to the Stage log in page but after logging in I get a "State information lost" error. I get the following debug information:

SimpleSAML_Error_NoState: NOSTATE

Backtrace:
2 /webdevroot/Updraft/web/external/System/SSO/simplesaml/lib/SimpleSAML/Auth/State.php:225 (SimpleSAML_Auth_State::loadState)
1 /webdevroot/Updraft/web/external/System/SSO/simplesaml/modules/saml/www/sp/saml2-acs.php:63 (require)
0 /webdevroot/Updraft/web/external/System/SSO/simplesaml/www/module.php:134 (N/A)

I've done all the troubleshooting the page asked me to do but the situation persists.

I've opened up the dev tools on the browser and watched the cookie information. The cookies for biz.dev.originsystems.co.za includes a SimpleAMLAuthToken, so I figure the cookies are working. The code I'm using to hit the IdP is:

$as = new SimpleSAML_Auth_Simple("stage-sso-sp");
$as->requireAuth();
$attributes = $as->getAttributes();
print_r($attributes);

UPDATE:

Here's some more information...

I wanted to determine if the problem was with how I set up the IdP, so I started using SSO Circle for the IdP. The State information gets lost after authentication on SSO Circle as well. I think that means the problem is somewhere with my Service Provider setup for SimpleSAML. Here's what's happening...

When I go to the SimpleSAML Test Authentication Sources page at https://biz.stage.originsystems.co.za/simplesaml I have the following cookie values...

Name                                       Value
SimpleSAMLAuthToken                        _a53569c0701dd02832532df14cf10cd0b2d9fcd6b6
biz.stage.originsystems.co.za              10fc356e0bfbf707af5fa5854c378755
ccof                                       RGN002
xbrF                                       84aadc624fc51c0c9340d45645c08643

Everything except the SimpleSAMLAuthToken is from our application and shouldn't affect SimpleSAML. Once I am redirected to SSO Circle and authenticated I return to my SimpleSAML page and the Auth Token now has a value of _39679e07cb1911e08b2bff3580a9929faddd07e9b6 and all the relevant information is returned correctly. The log file shows the following activity.

Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Received SAML2 Response from 'http://idp.ssocircle.com'.
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] No certificate in message when validating against fingerprint.
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Found 1 certificates in SAML2_Assertion
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Has 1 candidate keys for validation.
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Validation with key #0 succeeded.
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Filter config for http://idp.ssocircle.com->https://biz.stage.originsystems.co.za/simplesaml/module.php/saml/sp/metadata.php/default-sp: array (  0 =>   sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array(     'langattr' => 'preferredLanguage',     'priority' => 90,  )),)
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Deleting state: '_742b094314383407864f56bccc6afd7de3dcb3211e'
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Session: doLogin("default-sp")
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Session: Valid session found with 'default-sp'.
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Session: Valid session found with 'default-sp'.
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Template: Reading [/OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/dictionaries/status]
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Template: Reading [/OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/dictionaries/attributes]
Feb 02 12:58:22 simplesamlphp DEBUG [7c4534ae0a] Template: Reading [/OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/modules/core/dictionaries/frontpage]

If I go to https://biz.stage.originsystems.co.za?ccof=RGN002, I am redirected as I expect to be to SSO Circle where I then authenticate. At this time my Autth Token has a value of _39679e07cb1911e08b2bff3580a9929faddd07e9b6. Once I am authenticated I'm directed to a SimpleSAML error page "State Information Lost" and the Auth Token is still _39679e07cb1911e08b2bff3580a9929faddd07e9b6.

The log reads...

Feb 02 13:08:31 simplesamlphp DEBUG [8abc64dd04] Loading state: '_498e7d4d75bb7716e5e8cf905e0da5ef1c40cf1b3f'
Feb 02 13:08:31 simplesamlphp ERROR [8abc64dd04] SimpleSAML_Error_NoState: NOSTATE
Feb 02 13:08:31 simplesamlphp ERROR [8abc64dd04] Backtrace:
Feb 02 13:08:31 simplesamlphp ERROR [8abc64dd04] 2 /OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/lib/SimpleSAML/Auth/State.php:225 (SimpleSAML_Auth_State::loadState)
Feb 02 13:08:31 simplesamlphp ERROR [8abc64dd04] 1 /OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/modules/saml/www/sp/saml2-acs.php:63 (require)
Feb 02 13:08:31 simplesamlphp ERROR [8abc64dd04] 0 /OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/www/module.php:134 (N/A)
Feb 02 13:08:31 simplesamlphp ERROR [8abc64dd04] Error report with id dfbb52b0 generated.
Feb 02 13:08:31 simplesamlphp DEBUG [8abc64dd04] Template: Reading [/OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/dictionaries/errors]
Feb 02 13:08:31 simplesamlphp DEBUG [8abc64dd04] Template: Reading [/OriginSystems/application/Updraft/web/external/System/SSO/simplesaml/modules/core/dictionaries/no_state]

It looks to me as if the Auth Token should be _498e7d4d75bb7716e5e8cf905e0da5ef1c40cf1b3f but isn't for some reason. Since SimpleSAML can't find that Token it never deletes the old one and created a new one. Maybe I'm wrong about that. I'm perfectly willing to be corrected. My problem is that I don't know what is causing this. I've set the cookie.name in the config file to "biz.stage.originsystems.co.za" and that seems to work fine for the SimpleSAML control panel but it doesn't work when using the SP from the actual application. Can someone point me in the right direction here? I'm lost.

Chatwin answered 28/1, 2016 at 7:44 Comment(5)

The generated ID/Token you are getting is somehow creating problem, the top three reasons that can generate this errors are, 1. Changing Domain Name, E.g you are on example.com hopping on www.example.com that cause the session for no-state error, 2. Jumping from HTTP to HTTPS or HTTPS to HTTP, 3. the session is not saving properly, For more please consider a look at here – Windowshop 6/2, 2016 at 18:21

Multi Thinker: That's an excellent response. You should post it as an answer, so you can earn the bounty. If it doesn't work for you, Andrew, would you mind posting the metadata for your SP and IDP configuration? – Fleawort 10/2, 2016 at 3:51

Without looking at the metadata it's hard to give a specific answer, but I would like to point out that Firefox has an add-on called Saml Tracer (addons.mozilla.org/en-US/firefox/addon/saml-tracer) that I used all the time when debugging SSO problems. Might help you track down what values are being sent back and forth without relying on debug statements. – Masaccio 29/8, 2017 at 14:52

Are you running code on multiple worker machines? (E.g. multiple PHP worker machines behind reverse proxy balancer.) If so, make sure that all workers see the shared data backend that's SimpleSAML uses to keep the data between different requests. – Glutton 12/8, 2021 at 10:13

Try to check the cookie configuration in SimpleSAML and force the cookie to be 'Lax' for the session – Lissalissak 9/8, 2022 at 15:55

G

0

you'll have to define two completely independent environments, in order to work around mixing up those two environments (which feature two completely different identity providers), as you describe it (which obviously does not work, unless having added both of them into the SSO configuration - which probably might not be the desired outcome); simple check for the server's host-name and define the variables accordingly - this can be done either "on-the-fly" or possibly by two different config files (it's actually quite common to push config files at the end of a deployment). to me this sounds far more alike a deployment issue (lacking the proper config file for the live site), than an SSO issue.

Giaour answered 26/1, 2018 at 10:38 Comment(0)

K

0

Yes configure seperate identity providers for Dev and Stage. After authentication, they send authorization to the specified url via redirect. After login is successfull.

Kamikamikaze answered 12/3 at 19:28 Comment(0)

Recommended topics

Hot tags