1

Really need some help here. Off the bat, i have a LAMP server which i'm using to host multiple apache sites. RHEL 8.9, php 8.1. I have setup simplesaml php (SP) to authenticate against host IDP (Azure). I'm able to successfully authenticate one site at a time but anytime i'm trying to authenticate two sites, i get "unable to validate signature". For e.g. i have test1.example.com and test2.example.com. If i comment out the config for test1.example.com in the authsources under config, test2.example.com works and vice versa works as well. As soon as I enable both codes, test2.example.com works everytime and test1.example throws the unable to validate signature. The IDP is the same for both sites but i'm using different certificate for each site as setup by IDP.

SP config. (this is the exact config of test1.example.com and test2.example.com is exactly similar except the entity id, certs.

'test1-sp' => [ 'saml:SP',

    // The entity ID of this SP.
    'entityID' => 'https://sso.example.com',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',


    // The entity ID of the IdP this SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => 'IDP.azure.com',

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,

    /*
     * If SP behind the SimpleSAMLphp in IdP/SP proxy mode requests
     * AuthnContextClassRef, decide whether the AuthnContextClassRef will be
     * processed by the IdP/SP proxy or if it will be passed to the original
     * IdP in front of the IdP/SP proxy.
     */
    'proxymode.passAuthnContextClassRef' => false,

    /*
     * The attributes parameter must contain an array of desired attributes by the SP.
     * The attributes can be expressed as an array of names or as an associative array
     * in the form of 'friendlyName' => 'name'. This feature requires 'name' to be set.
     * The metadata will then be created as follows:
     * <md:RequestedAttribute FriendlyName="friendlyName" Name="name" />
     */
    /*
    'name' => [
        'en' => 'A service',
        'no' => 'En tjeneste',
    ],

    'attributes' => [
        'attrname' => 'urn:oid:x.x.x.x',
    ],
    'attributes.required' => [
        'urn:oid:x.x.x.x',
    ],
    */
],

I have done everything and not sure what i'm doing wrong or if its even possible to have mulltiple sites authenticate against a single IDP when they are hosted on the same server.

Thanks in advance.

Edit: the IDP config for test 1 is

$metadata['IDP.azure.com'] = [
'entityid' => 'https://sso.example.com',
'contacts' => [],
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' => [
    [
        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        'Location' => 'IDP.azure.com/saml2',
    ],
    [
        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        'Location' => 'IDP.azure.com/saml2',
    ],
],
'SingleLogoutService' => [
    [
        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        'Location' => 'IDP.azure.com/saml2',
    ],
],
'ArtifactResolutionService' => [],
'NameIDFormats' => [],
'keys' => [
    [
        'encryption' => false,
        'signing' => true,
        'type' => 'X509Certificate',
        'X509Certificate' => 'MIIC8DCCAdigAwIBAgIQZ1u8DdLLcp1LX40zTvYlHjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yNDAzMjAxNDAzMTRaFw0yNzAzMjAxNDAzMTVaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAud9/4Ttvi2sUp8EhIfb9GVKGuGmwr8s59wGPffV7Go6dwVLytRHKu3aeJg',
    ],
],

];

1 Answer 1

0

It is possible to authenticate multiple sites against a single IdP using SimpleSAMLphp, but there are a few nuances that have to be carefully managed. I'd do like this to avoid running into issues like "unable to validate signature":

Ensure that each site has a unique entityID. From your description, it looks like both sites are using the same entity ID (https://sso.example.com). Each service provider (SP) should have a unique entity ID.

'entityID' => 'https://test1.example.com',

And for the other one:

'entityID' => 'https://test2.example.com',

Then, make sure that each site has its own set of certificates (privatekey and certificate). This is important for the signature validation process. You should not reuse certificates between different SPs unless explicitly required by the setup.

Also, make sure that the IdP metadata configuration includes the correct entity ID for each SP and points to the right certificates.

And that if both sites are hosted on the same server, they might be sharing the same session storage, which could cause issues. Ensure that each site has its own session storage or prefix in the configuration to avoid conflicts.

Also, make sure that there is no conflict in the way cookies are handled between the two sites. Cookies set for one site should not interfere with the other. This may involve setting different cookie parameters for each site.

I'd use something like this for the first site configuration:

'test1-sp' => [
    'saml:SP',

    // The entity ID of this SP.
    'entityID' => 'https://test1.example.com',
    'privatekey' => 'saml_test1.pem',
    'certificate' => 'saml_test1.crt',

    // The entity ID of the IdP this SP should contact.
    'idp' => 'https://IDP.azure.com',

    'discoURL' => null,

    'proxymode.passAuthnContextClassRef' => false,
],

And like this for the second one:

'test2-sp' => [
    'saml:SP',

    // The entity ID of this SP.
    'entityID' => 'https://test2.example.com',
    'privatekey' => 'saml_test2.pem',
    'certificate' => 'saml_test2.crt',

    // The entity ID of the IdP this SP should contact.
    'idp' => 'https://IDP.azure.com',

    'discoURL' => null,

    'proxymode.passAuthnContextClassRef' => false,
],

A couple of more things to check are to verify you are using a compatible version of SimpleSAMLphp with your PHP and RHEL version. Sometimes, issues arise due to version incompatibilities.

Also, check the IdP configuration to ensure it is correctly set up to recognize and validate signatures from both test1.example.com and test2.example.com.

Other than that, it should work!

3
  • Thank you Max! I really appreciate your reply and have updated my original post with IDP config for one of the sites. Just want to say that I'm using different ENTITY IDs and CERTS (self-signed for SPs) for both sites. The IDP has 3rd party certs for both sites which i added in idp config. You talked about same session storage and cookie handling. Could you please share some information as I have not set any particular setting for session storage and cookie handling. I'm using the most recent simplesaml version with RHEL 8.9 and PHP 8.1. IDP has setup different certs for both sites.
    – Vin Tastic
    Commented Jun 4 at 14:36
  • Sure mate, but I'd appreciate if you'd put the code in a formatted box, all in one line isn't easy, your question is good and surely someone will ask the same thing again in the future, it'd be nice that they understand what we've done.
    – Max Haase
    Commented Jun 4 at 14:54
  • Figured out how to properly edit the post and put code in formatted box. So my config stands as you recommended without any session storage and cookie handling parameters. Still whenever I try to access it, test2 always works and test 1 always throws invalid signature. Hoping to get a solution than setting up separate servers for each site.
    – Vin Tastic
    Commented Jun 4 at 15:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .