Really need some help here. Off the bat, i have a LAMP server which i'm using to host multiple apache sites. RHEL 8.9, php 8.1. I have setup simplesaml php (SP) to authenticate against host IDP (Azure). I'm able to successfully authenticate one site at a time but anytime i'm trying to authenticate two sites, i get "unable to validate signature". For e.g. i have test1.example.com and test2.example.com. If i comment out the config for test1.example.com in the authsources under config, test2.example.com works and vice versa works as well. As soon as I enable both codes, test2.example.com works everytime and test1.example throws the unable to validate signature. The IDP is the same for both sites but i'm using different certificate for each site as setup by IDP.
SP config. (this is the exact config of test1.example.com and test2.example.com is exactly similar except the entity id, certs.
'test1-sp' => [ 'saml:SP',
// The entity ID of this SP.
'entityID' => 'https://sso.example.com',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
// The entity ID of the IdP this SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => 'IDP.azure.com',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
/*
* If SP behind the SimpleSAMLphp in IdP/SP proxy mode requests
* AuthnContextClassRef, decide whether the AuthnContextClassRef will be
* processed by the IdP/SP proxy or if it will be passed to the original
* IdP in front of the IdP/SP proxy.
*/
'proxymode.passAuthnContextClassRef' => false,
/*
* The attributes parameter must contain an array of desired attributes by the SP.
* The attributes can be expressed as an array of names or as an associative array
* in the form of 'friendlyName' => 'name'. This feature requires 'name' to be set.
* The metadata will then be created as follows:
* <md:RequestedAttribute FriendlyName="friendlyName" Name="name" />
*/
/*
'name' => [
'en' => 'A service',
'no' => 'En tjeneste',
],
'attributes' => [
'attrname' => 'urn:oid:x.x.x.x',
],
'attributes.required' => [
'urn:oid:x.x.x.x',
],
*/
],
I have done everything and not sure what i'm doing wrong or if its even possible to have mulltiple sites authenticate against a single IDP when they are hosted on the same server.
Thanks in advance.
Edit: the IDP config for test 1 is
$metadata['IDP.azure.com'] = [
'entityid' => 'https://sso.example.com',
'contacts' => [],
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'IDP.azure.com/saml2',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'IDP.azure.com/saml2',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'IDP.azure.com/saml2',
],
],
'ArtifactResolutionService' => [],
'NameIDFormats' => [],
'keys' => [
[
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIC8DCCAdigAwIBAgIQZ1u8DdLLcp1LX40zTvYlHjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDAzMjAxNDAzMTRaFw0yNzAzMjAxNDAzMTVaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAud9/4Ttvi2sUp8EhIfb9GVKGuGmwr8s59wGPffV7Go6dwVLytRHKu3aeJg',
],
],
];