This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Not able to connect to Ping Federate on SAML login

Posted on 10-05-2016 10:17 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

I am currently working on an apigee dev-portal and was recently asked to implement SAML login with Ping as our IdP. I installed simpleSAMLphp on our apigee (Drupal) site and configured it to work as an SP. But, after all the configuration when I try to log in as admin on the simpleSAMLphp interface ( @ url/simplesaml), an exception was thrown at me - 

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/simplesaml/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: URL not allowed: https://dev-horizonblue.devportal.apigee.com:15133/simplesaml/module.php/core/login-admin.php?Return...

Backtrace:
2 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/private/simplesamlphp-1.14.8/lib/SimpleSAML/Utils/HTTP.php:331 (SimpleSAML\Utils\HTTP::checkURLAllowed)
1 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/private/simplesamlphp-1.14.8/modules/core/www/as_login.php:21 (require)
0 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/simplesaml/module.php:137 (N/A)

Just so you know, I've given this for the 

baseurlpath => 'https://'. $host .'/simplesaml/'

And now with this exception on my simpleSAMLphp interface, when I click on back in the browser it says I am logged in as admin and everything works fine. So, I started to work-around using this technique when on simpleSAMLphp interface. Exported SP metadata to my Ping admin and then imported Ping's federated metadata into /private/simpleSAMLphp-1.14.8/metadata/saml20-idp-remote.php

I see the IdP's metadata on my simpleSAMLphp interface.Now, again I noticed two problems i.e.

1) I don't see the Federated login link on my apigee dev-portal.

2) When, I try http://dev-horizonblue.devportal.apigee.com/saml_login - I see a page not found error.

I know this information won't be sufficient to get a grasp of my problem, but I just hope someone points me in the right direction to debug.

Thanks for your time !

Dharma

Solved Solved
0 4 6,487
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Dharma,

Most likely, simplesample is confused on which port your Drupal instance is running on given if it is hosted in Pantheon. In this case the module is assuming the HTTPS is being hosted on port 15133 when in fact it is being hosted on 443.

From my understanding, Pantheon does not allow active connections directly to this port, but does have port forwarding on the virtual host. e.g. (external) 443 -> (internal) 15133.

Easiest way to fix this is to comment out the logic in the module for getServerPort() in:

'/private/simplesamlphp-x.x.x/lib/SimpleSAML/Utils/HTTP.php'

    private static function getServerPort()
    {
        $port = (isset($_SERVER['SERVER_PORT'])) ? $_SERVER['SERVER_PORT'] : '80';
        //The following code will break when using Pantheon as hosting solution
        if (self::getServerHTTPS()) {
            if ($port !== '443') {
                //return ':'.$port;
                return ''; //Do not return custom Pantheon port
            }
        } else {
            if ($port !== '80') {
                //return ':'.$port;
                return ''; //Do not return custom Pantheon port
            }
        }
        return '';
    }

Hope this helps. Let me know if otherwise.

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
gitesh
Staff
Reply posted on --/--/---- --:-- AM

Can you verify the steps in this article to make sure it's configured correctly?

https://community.apigee.com/articles/29201/sso-integration-via-saml-with-developer-portal.html

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to gitesh
Reply posted on --/--/---- --:-- AM

Hi,

Yes, I verified the steps and configured it the way posted on the article.

I see the following exception on accessing https://example.devportal.apigee.com/saml_login and also do not see the federated login link.

Backtrace:
0 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/simplesaml/module.php:180 (N/A)
Caused by: Exception: Destination in response doesn't match the current URL. Destination is "https://dev-example.devportal.apigee.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp", current URL is "/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp".
Backtrace:
2 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/private/simplesamlphp-1.14.8/modules/saml/lib/Message.php:506 (sspmod_saml_Message::processResponse)
1 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/private/simplesamlphp-1.14.8/modules/saml/www/sp/saml2-acs.php:120 (require)
0 /srv/bindings/953b1a2e29694ba48a67beea8f81c386/code/simplesaml/module.php:137 (N/A)

I know, the current URL is being messed up, which is.

$cur_path = realpath($_SERVER['SCRIPT_FILENAME']);

Can I str_replace with the URL i.e.

https://dev-example.devportal.apigee.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Thanks,

Dharma

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Dharma,

Most likely, simplesample is confused on which port your Drupal instance is running on given if it is hosted in Pantheon. In this case the module is assuming the HTTPS is being hosted on port 15133 when in fact it is being hosted on 443.

From my understanding, Pantheon does not allow active connections directly to this port, but does have port forwarding on the virtual host. e.g. (external) 443 -> (internal) 15133.

Easiest way to fix this is to comment out the logic in the module for getServerPort() in:

'/private/simplesamlphp-x.x.x/lib/SimpleSAML/Utils/HTTP.php'

    private static function getServerPort()
    {
        $port = (isset($_SERVER['SERVER_PORT'])) ? $_SERVER['SERVER_PORT'] : '80';
        //The following code will break when using Pantheon as hosting solution
        if (self::getServerHTTPS()) {
            if ($port !== '443') {
                //return ':'.$port;
                return ''; //Do not return custom Pantheon port
            }
        } else {
            if ($port !== '80') {
                //return ':'.$port;
                return ''; //Do not return custom Pantheon port
            }
        }
        return '';
    }

Hope this helps. Let me know if otherwise.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Hi,

Thanks a lot @apickelsimer1 for your time,

It did resolve the exception thrown when trying to log in as administrator.

But this problem persists-- my exception in the reply above to @Gitesh Koli.

Thanks

Dharma


Jump to Solution
0 Likes