2

After successfully receiving the SAML 2.0 token while using simplesamlphp as a Service Provider I get the following error.

 Oct 21 17:30:15 simplesamlphp DEBUG [6b6e3c270f] GenerateGroups - attribute 'eduPersonAffiliation' not found.
    Oct 21 17:30:15 simplesamlphp DEBUG [6b6e3c270f] Session: doLogin("default-sp")
    Oct 21 17:30:15 simplesamlphp WARNING [6b6e3c270f] Unable to find the SAML 2 binding used for this request.
    Oct 21 17:30:15 simplesamlphp WARNING [6b6e3c270f] Request method: 'GET'
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] Backtrace:
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] 0 /var/www/simplesamlphp/www/module.php:180 (N/A)
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] Caused by: Exception: Unable to find the current binding.
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] Backtrace:
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] 2 /var/www/simplesamlphp/lib/SAML2/Binding.php:95 (SAML2_Binding::getCurrentBinding)
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] 1 /var/www/simplesamlphp/modules/saml/www/sp/saml2-acs.php:11 (require)
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] 0 /var/www/simplesamlphp/www/module.php:135 (N/A)
    Oct 21 17:30:15 simplesamlphp ERROR [6b6e3c270f] Error report with id bd213fb5 generated.

My SP is set up like this:

**authsources.php**

    'default-sp' => array(
        'saml:SP',
        'entityID' => NULL,
        'idp' => NULL,
        'discoURL' => NULL,
        'RelayState' => '{link to my application}',
        'acs.Bindings' => array(
            'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
        ),
    ),

saml20-idp-remote.php

$metadata['https://{idp entity id}'] = array(
    'metadata-set' => 'saml20-idp-remote',
    'entityid' => 'https://{idp entity id}',
    'name' => array(
        'en' => 'IDP Name',
        'no' => 'IDP name',
    ),
    'description'  => 'IDP desc',
    'SingleSignOnService' => 
      array (
        0 => 
        array (
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
          'Location' => '{SSO url}',
        ),
        1 =>
        array(
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
          'Location' => '{SSO url}',
        ),
      ),
    'SingleLogoutService'  => '{SLO url}',
    'certFingerprint' => '{the fingerprint}',
);

I am pretty new to Single Sign on. I have also hid the urls for confidentiality but I am not sure if I am missing something or whats causing this error to be thrown. If anyone could help point me in the right direction that would be greatly appreciated. I should also mention I am trying to use https://drupal.org/project/simplesamlphp_auth to hook into my application.

This is an IDP first flow. I am use mysql to store the sessions.

user2686172
  • 23
  • 1
  • 1
  • 5
  • why did you set entityID and idp to NULL? Normally this configuration won't work and have to give an error different than the one you gave. – rsabir Apr 06 '16 at 07:38
  • I was getting a similar error for having 'store.type' => 'memcache', instead of phpsession – Asdrubal Mar 09 '17 at 20:06

2 Answers2

5

"Unable to find the current binding." means exactly that, that the current binding cannot be determined. Your saml20-idp-remote.php mentions HTTP-POST binding, and your log mentions Request method: 'GET', so probably something goes wrong while posting to https://…/module.php/saml/sp/saml2-acs.php/default-sp.

I'm just doing a wild guess here, but in my experience, the most common cause is a redirecting web server. Maybe you redirect to a different hostname? Do you force HTTPS? Check on the IdP that the URLs for the AssertionConsumerService are correct - they should lead directly to SimpleSamlPhp without any redirect.

jornane
  • 1,397
  • 10
  • 27
  • +1 It was the case for me. I've made a config in apache to redirect all queries of http to https (proxy) but the redirection doesn't keep the Post query (Type of query (POST/GET) + parameters). So to work around this problem, I was obliged to activate https in simplesamlphp. – rsabir Apr 06 '16 at 07:57
  • There's also another solution for others that have the same problem: Change the redirect permanent in apache2.conf/httpd.conf to redirect 307. With this change, you won't need to set an https for simplesamlphp – rsabir Apr 06 '16 at 08:06
  • @rsabir What do you mean by "activate https in simplesamlphp"? Was there a configuration value to turn on https redirection in simplesamlphp? – The Unknown Dev May 12 '17 at 18:37
  • @KimberlyW You can set the baseurl in the configuration file to start with https. Normally it will try to detect whether you use HTTPS or not, but this may fail for example if you're behind a reverse proxy. Best is to set the baseurl explicit. – jornane May 12 '17 at 19:48
  • @jornane I see thanks, but is there a way to do that while keeping that `baseurlpath` relative? According to the comment above that property, if you include the protocol `https`, you also need the hostname/fqdn. In my case, my application can be accessed by more than one URL, so I can't fix it to just one. – The Unknown Dev May 12 '17 at 20:02
  • @KimberlyW the config file is PHP so you can script it. Then again this here is no support forum and this is getting very off-topic. If your setup requires special handling, you should ask a separate question. – jornane May 12 '17 at 22:00
1

I faced same situation.

THe saml entity was pointing to www.mysite.com in the apache configuration we were redirecting www.mysite.com to mysite.com with redirect code 301, after changing to redirect code 307 to preserve get and post variables it started working fine.

Thanks, Anubhav

Anubhav
  • 281
  • 1
  • 3
  • 5