Hello,
currently i’m trying to implement saml. First challenge was nextcloud, with the provided guide it was no problem. But i have problems to do a simple login to the univention portal. When i try to do a sso i get the following error:
The debug log of simplesamlphp shows the follwing:
Dec 03 21:08:28 simplesamlphp NOTICE STAT [a0379a9545] User 'administrator' successfully authenticated from 10.10.1.80
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] Deleting state: '_b5555fea62954e48aa79cb685b81ccd6a2e1b4b7d8'
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] Session: doLogin("univention-ldap")
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] Session: Valid session found with 'univention-ldap'.
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] Session: Valid session found with 'univention-ldap'.
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] Filter config for https://ucs-sso.local.net/simplesamlphp/saml2/idp/metadata.php->https://srv-master.local.net/univention/saml/metadata: array ( 0 => sspmod_authorize_Auth_Process_Authorize::__set_state(array( 'deny' => false, 'regex' => false, 'valid_attribute_values' => array ( 'enabledServiceProviderIdentifier' => array ( 0 => 'SAMLServiceProviderIdentifier=https://srv-master.local.net/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=hiller,dc=intranet', ), 'memberOf' => array ( 0 => 'False', ), ), 'case_insensitive_attributes' => array ( 0 => 'memberof', 1 => 'enabledserviceprovideridentifier', ), 'priority' => 10, )), 1 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 30, )), 2 => sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'skipPassive' => false, 'priority' => 45, )), 3 => sspmod_core_Auth_Process_AttributeLimit::__set_state(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 4 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )),)
Dec 03 21:08:28 simplesamlphp NOTICE STAT [a0379a9545] saml20-idp-SSO-first https://srv-master.local.net/univention/saml/metadata https://ucs-sso.local.net/simplesamlphp/saml2/idp/metadata.php NA
Dec 03 21:08:28 simplesamlphp NOTICE STAT [a0379a9545] saml20-idp-SSO https://srv-master.local.net/univention/saml/metadata https://ucs-sso.local.net/simplesamlphp/saml2/idp/metadata.php NA
Dec 03 21:08:28 simplesamlphp INFO [a0379a9545] Sending SAML 2.0 Response to 'https://srv-master.local.net/univention/saml/metadata'
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] Sending message:
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d8152eb3d0cd48627044f8d605262157cc2d420e33" Version="2.0" IssueInstant="2022-12-03T20:08:28Z" Destination="https://srv-master.local.net/univention/saml/" InResponseTo="id-24lv904qQB2rrKxnF">
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <saml:Issuer>https://ucs-sso.local.net/simplesamlphp/saml2/idp/metadata.php</saml:Issuer>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:SignedInfo>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:Reference URI="#_d8152eb3d0cd48627044f8d605262157cc2d420e33">
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:Transforms>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] </ds:Transforms>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:DigestValue>GMph0v29K54MpDN+PNxM62jPMJJULV7sZGVEaQRDPdY=</ds:DigestValue>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] </ds:Reference>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] </ds:SignedInfo>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:SignatureValue>MnD5FmYY49Xd2hUjET9g7f4tLfjPA8GdYnVnak1JE8UBxT2ViU8GE+ysV8w/w6Nwg6zVQmFWO0uKDgjRsizlzjQtzH5J45OuexiZqSGHXizzypNyJ08rCcmg0uP8K+TpBqZEDRy/nfmbthpe7ERDLJjxzcjy3TUpYUGX+sidnlOaFDFo0RykdmpxC0pdmYs2oQnkA8hCNN3le/u45AtRdSVrrKlnWpwPm9LZu8WbMhB38NNtr0Lp9TkUDXTj0vEA2Jrdu8rsngwz7wpi2IjSLwNAK7aTouNAUBFvW14Q3ehlFXOFq4r4uNLbFWg+12JmtVKxA6Q0UWVLSOwgj0bfPw==</ds:SignatureValue>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:KeyInfo>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:X509Data>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <ds:X509Certificate>MIIFPzCCBCegAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEPMA0GA1UEChMGSGlsbGVyMSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxOjA4BgNVBAMTMVVuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlciBSb290IENBIChJRD1rTDVXak82QykxIjAgBgkqhkiG9w0BCQEWE3NzbEBoaWxsZXIuaW50cmFuZXQwHhcNMTkwMjA5MjA1OTUzWhcNMjQwMjA4MjA1OTUzWjCBpDELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEPMA0GA1UEChMGSGlsbGVyMSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxIDAeBgNVBAMTF3Vjcy1zc28uaGlsbGVyLmludHJhbmV0MSIwIAYJKoZIhvcNAQkBFhNzc2xAaGlsbGVyLmludHJhbmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1gIf2hzi5WLVegVZ1fXNPW+9B9h6wKiV7QSfqT4pkcLIXBpJ5Zzae220DIC5XaVdjG2arkes5DiaHn/5i9pB1W+Yop/G0bnWJLX8J4GuGwCTa43yhzQpOXomNdLwXBi6J3xv0LcBdNZJGZkddZ1psXz8yeLKwNBUjS41PvneMmc1YVFVYJVr4bu2uWS9RuksSbCvjh2jAeGNmSbrEDPwU1Eg94VB2M37bQFfVypuNsJGUmFe7VBYqwFvbzPzxBUzX6Y/NI0Bv9YRsgVt7apnGS2y0dIDwUHyt4ek3t8urWfo0N6RnPUyoUgAseNpbn5udd9TassWAgKir2zVuYFkIQIDAQABo4IBXjCCAVowCQYDVR0TBAIwADAdBgNVHQ4EFgQUtZyi2WZx47HkFWjagKNU6X8FttAwgfMGA1UdIwSB6zCB6IAU9YbxICQ/KLApzF9M+6ukQjFuCVChgcSkgcEwgb4xCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTELMAkGA1UEBxMCREUxDzANBgNVBAoTBkhpbGxlcjEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9a0w1V2pPNkMpMSIwIAYJKoZIhvcNAQkBFhNzc2xAaGlsbGVyLmludHJhbmV0ggkAw9QCa4c1xH8wCwYDVR0PBAQDAgXgMCsGA1UdEQQkMCKCF3Vjcy1zc28uaGlsbGVyLmludHJhbmV0ggd1Y3Mtc3NvMA0GCSqGSIb3DQEBCwUAA4IBAQAt9V4g0KwWuV1NqN62On7jTv4PKGGmBV27tjUsOMuBPy1en4oWVFzkdr08CelQuN6V+aOvors0bHCEzd4SF/x77nEXpnkd4Dzgz+l+JClT4Lzj6uXW4k7VdxYVT/bwO7FkxntKBgvzCHULclPNeDxh3OMgWvUbH2RSj0qoe5/90x/hQ/FRKrStvee6KW2tw/39igcqCUVocEiP4s4BIHxyPVPYv6QV5sevBs2GwVG10VirSxr6pB13EFIyJqGJWB9x7CrS3xBP62FiK4+wQVVhaJHCqju9O1mMyjQf8gSWu5KNtS0pUYaT5T2H/dDKm8lOIQpEE6KgININLGfKkiGh</ds:X509Certificate>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] </ds:X509Data>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] </ds:KeyInfo>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] </ds:Signature>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <samlp:Status>
Dec 03 21:08:28 simplesamlphp DEBUG [a0379a9545] <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
And many more. Can somebody help me? A saml service provider for srv-master.local.net exists. Any ideas?
Thanks.