Hi

I am trying to use this server as a test IDP server for a Vue.js / node.js based application.

I have a working testbed using passport-saml where the express server serves the pages. But when I switch to the frontend I am running into CORS issues:

Access to XMLHttpRequest at 'http://samlserver:8080/simplesaml/saml2/idp/SSOService.php?SAMLRequest=nVNNb%2BIwEP0rke%2FkC6oWi1BR0GqRum1Esj30UhlnKN51bK%2FHKfTfrxOSFYctB062Zt4bz7w3nt0faxl8gEWhVUaSMCb38xmyWhq6aNxebeBPA%2BgCD1NIu0RGGquoZiiQKlYDUsdpsfjxSNMwpsZqp7mWJFivMvI2HU84VMl0u%2BO36fQGIJ0ACV6GBz3DAxEbWCt0TDkfipPpKB6PkkmZxDS9pUkSpjeTVxLkfekHoSqh3i%2F3sT2BkH4vy3yUPxclCRaIYJ1%2FeKkVNjXYAuyH4PBz85iRvXOGRpHUnMm9RkfHcRz3QcN9U10gaiVIPepdqMgj5Zbx3yRYeY2EYq4bqif90gfWbBvlGnoX33mmqI2Elt8XEZWJiuK5byI0e0NO2tNOEXsm%2BuVZ2TAXmTNj%2FN0bOovOKg2WPnnqepVrKfjnNZZ%2B07Zm7mt0EiZdRFSjXQelUDMhF1VlAdEbIKU%2BLC0wBxlxtgESDa31iwZVt3beIAfHq9ZuqWvDrMDWCTgy7gZRzwsvpddsA7trJL4I45S3pX0498dB26rdWuB%2BsNIyhUZb11vzv37mp9wXcvzLnn%2FN%2BV8%3D' (redirected from 'http://localhost:3000/saml2/login') from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. login.vue?8d26:124 loginWithSAML2...{"config":{"transformRequest":{},"transformResponse":{},"timeout":0,"xsrfCookieName":"XSRF-TOKEN","xsrfHeaderName":"X-XSRF-TOKEN","maxContentLength":-1,"headers":{"Accept":"application/json, text/plain, */*"},"method":"get","url":"http://localhost:3000/saml2/login"},"request":{}}

My connections:

Any idea where to start to tackle this problem?

I'm getting a Metadata not found when trying to log in using saml

Metadata not found
Unable to locate metadata for 'http://dev.localhost/v1/saml/f789766c-e073-4ee5-8fb3-d3258223cd20/metadata.xml'
This is most likely a configuration problem on either the service provider or identity provider.

however, if I take the url specified above, and docker exec into the container, using curl from the shell gives me

jmls@jmls-Z390-AORUS-PRO:~$ docker exec -it testsamlidp sh
# curl http://dev.localhost/v1/saml/f789766c-e073-4ee5-8fb3-d3258223cd20/metadata.xml
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis ... [snipped]

what have I misconfigured ? I used docker run --add-host=dev.localhost:172.17.0.1 --name=testsamlidp -p 8081:8080 to start the container

When trying to connect to SAML I'm getting this error:

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => ''http://localhost/\'')

Backtrace:
3 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:300 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:320 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 modules/saml/lib/IdP/SAML2.php:330 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 www/saml2/idp/SSOService.php:19 (N/A)

I wish there were an option to read user account information from a csv file - just for convenience. Or any other flatish file - yaml, json, anything that's easy to generate programmatically and parse.

ID, Affiliation, name, email, password, anything, else
1, group1, name one, [email protected], user1pass, chocolate, false
...

error detail:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Could not resolve 'ldap:Ldap': no class named 'sspmod_ldap_Auth_Source_Ldap' or 'SimpleSAML\Module\ldap\Auth\Source\Ldap'.
Backtrace:
6 lib/SimpleSAML/Module.php:277 (SimpleSAML\Module::resolveClass)
5 lib/SimpleSAML/Auth/Source.php:298 (SimpleSAML_Auth_Source::parseAuthSource)
4 lib/SimpleSAML/Auth/Source.php:343 (SimpleSAML_Auth_Source::getById)
3 lib/SimpleSAML/Auth/Simple.php:56 (SimpleSAML\Auth\Simple::getAuthSource)
2 lib/SimpleSAML/Auth/Simple.php:160 (SimpleSAML\Auth\Simple::login)
1 modules/core/www/authenticate.php:36 (require)
0 www/module.php:135 (N/A)

authsources.php

Hello,

Thanks for a great testing/dev tool. I am using your image together with node-saml2. Everything works great, except I am not getting the user's username back in the saml_response. Here is what I get back from the call to post_assert:

{
    response_header: {
        version: '2.0',
        destination: 'https://localhost:8443/auth/vandy',
        in_response_to: '_3b62f0918e4aca01a86d394a8185673ec85a9e6445',
        id: '_13a6e79b68c8283ea4887560b34d02ba345aa1ad19'
    },
    type: 'authn_response',
    user: {
        name_id: '_6fbb90a0faa99dd0048653a7bdbc983dabae9c4b33',
        session_index: '_bad6a226294b5a616e061d8510a08165732825d0b1',
        session_not_on_or_after: '2018-05-23T02:32:56Z',
        attributes: {
            uid: [ '1' ],
            eduPersonAffiliation: [ 'group1' ],
            email: [ '[email protected]' ]
        }
    }
}

Do you happen to know a way I can get username ("user1") in this response?
Thanks,
Graham

I used the container already on other docker host with success.

For my new installation I simply copied the configuration and adapted the ip adresses.
While starting i get only this message:

AH00534: apache2: Configuration error: No MPM loaded.

I searched already and the reason shall be a missconfigured apache especially inside the http.conf.

Searching via find insinde docker host and inside container created from this image I could not find an http.conf file in order to check it.

Both docker hosts (the working and the not working) don't have any apache installation.

I tried to start the image completely without volume mounts and environment variables (bare image) and also got this exception.

Obviously the image is somehow relying on underlying docker host.

The docker host is an centos7 vm. The not working centos VM is derived from the same centos vm like the first. I compared docker and docker-compose versions. (same)

I have no ideas anymore.

Is this issue known and what could be a solution?

Thanks

Maik

Hi,

I would like to change the assertion expiry date created by the IdP. The value of saml:Assertion/saml:Conditions/@NotOnOrAfter is currently about 5 minutes in the future. Is there a way to achieve this?

In my environment it's impractical to predict the path the SP remote ends up on until after we already need to have started the IdP container, we also use a different SP remote for each test case. I would also like the ability to configure users and their metadata from within tests so that it's trivial to see the important bits of the environment set up for the test and the test assertions in a single spot. I also create unique usernames in tests currently so that when a test is being run locally we can keep adding users from the same test without having username collisions in our app.

While this is all likely achievable using volume mounts over the config files shared between multiple containers, that requires our test containers knowing about the file system layout in the IdP container and assuming that that will never change.

I'd like a simple API deployed in the IdP container to make changes via basic POST requests for at least adding:

• a new SP remote
• a new user and metadata to the example-userpass auth source

I've started mocking that out in master...neerolyte:dynamic-test-config and I'd like feedback on whether you'd merge something like this if you have a chance.

A follow up to #8 that I forgot to mention, it would be stellar if this could use a base image or had configuration that doesn't require running as root.

Then you could launch this on pretty much any managed container service out there (OpenShift, Heroku, etc.).

https://github.com/sclorg/s2i-php-container/blob/master/7.1/root/usr/libexec/container-setup

I use this container so often because we have a ton of customers with SAML integrations and it helps with automated testing too. Being able to spin up a bunch of these in k8s with different environment settings would be awesome.

It's extraordinarily unclear in the documentation that the docker command's SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE (at least) variable needs to point to your SP because the URL used is for simplesaml. I would suggest making it clearer by using some sort of mock application URL instead of something that refers back to a URL that looks like the IdP service.

Description

First of all, thanks for providing this docker image, it helps a lot!

It is my understanding that when logging out a user via the web interface, simplesaml should send a logout request to the configured SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE.

Observation

The IdP contacts the acs but not the sls.

Setup

I've got an application running as the service provider, configured like this (excerpt from my docker-compose.yml file:

test-saml-idp:
    image: kristophjunge/test-saml-idp:1.15
    container_name: saml-idp
    ports:
      - "8080:8080"
      - "8443:8443"
    environment:
      SIMPLESAMLPHP_SP_ENTITY_ID: "http://localhost:3449/saml/metadata"
      SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: "http://localhost:3449/saml/login"
      SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: "http://localhost:3449/saml/logout"
    volumes:
      - ./docker-saml/users.php:/var/www/simplesamlphp/config/authsources.php:ro

Login works as expected. If the login is successful, the /saml/login endpoint is contacted carrying the expected data.
On logout, my service provider is not contacted. Through other means, I verified that in principle, /saml/logout receives requests and does "the right thing".

Request

It would help if you could verify one of these assertions:

1. My setup is wrong (and perhaps how to fix it).
2. My assumption that the IdP contacts the SP via /saml/logout is wrong.
3. This is indeed a bug.

Thank you!

Details on the idp meta-data is not mentioned anywhere. This is needed to have it integrated with a SP.

Sorry, this is an question not an issue. I just need some hardcoded attribute value (for the response to the ACS). E.g.

   <saml:Assertion ...>
     ...
      <saml:AttributeStatement>
         ...
         <saml:Attribute Name="customAttribute" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">someHardcodedAttributeValue</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>

Is that possible?

It would be nice to be able to add things like vim from docker-compose.yml without writing a separate docker file. I propose the environment variable SIMPLESAMLPHP_DPKGS that takes a comma separated list of packages e.g.

SIMPLESAMLPHP_DPKGS="vim,git"

If that variable is set then docker should perform apt-get update and then apt-get install [packages].

Also consider making git tags of the versions in between and creating docker tags so others can download a specific version if required?

Hello,

It seems that when using https, there is a missing attribute for the hostname (localhost for testing) in the certificate (it has to be either in common name or in some additional DNS attribute), this leads to errors when client tries to verify certificate. I got it working by setting a new slef signed certificate, do you want me to do a pull request ?
Anyway, thanks for your effort, it saves a lot of time!

Because the container runs on 80 and 443 it won't run on services like OpenShift etc. that require non-privileged containers.

I would switch it to 8080 and 8443 by default.