WSO2 IS and simplesamlphp

Question

I am trying to get the WSO2 Identity Server (4.0.0) to authenticate simplesamlphp (1.10.0) sessions.

The WSO2 IS host is running @ https://sim2:9443/ # IdP server.

The simplesamlphp scripts are running @ http://dellperf1/simplesaml/ # Configured as SP

Configuration

On the the WSO2 end, I have configured an Issuer as follows:

wso2 IS Issuer Configuration

I have configured some users, both by using the "Add User" under configure -> User and Roles and by "Sign Up" function on the WSO2 IS homepage.

I have configured simplesamlphp as follows -

config/authsources.php

entityID matches "Issuer" in the WSO2 config - it's my company name, so I've obscured it.

14         // An authentication source which can authenticate against both SAML 2.0
15         // and Shibboleth 1.3 IdPs.
16         'default-sp' => array(
17                 'saml:SP',
18
19                 // The entity ID of this SP.
20                 // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
21                 'entityID' => '$ISSUER HIDDEN',
22
23                 // The entity ID of the IdP this should SP should contact.
24                 // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
25                 // 'idp' => NULL,
26
27                 // The URL to the discovery service.
28                 // Can be NULL/unset, in which case a builtin discovery service will be used.
29                 // 'discoURL' => NULL,
30                 'privatekey' => 'saml.pem',
31                 'certificate' => 'saml.crt',
32         ),

metadata/saml20-idp-remote.php

93 /*
94  * $MY IdP
95  */
96
97 $metadata['https://sim2.FQDN:9443'] = array(
98         'name' => array(
99                 'en' => '$company IdP test server',
100         ),
101         'description'          => 'WSO2 ID Server',
102         'SingleSignOnService'  => 'https://sim2:9443/samlsso',
103         'SingleLogoutService'  => 'https://sim2:9443/samlsso',
104         //'certFingerprint'      => '04b3b08bce004c27458b3e85b125273e67ef062b'
105         'certFingerprint'      => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d'
106
107 );

Whenever I visit http://dellperf1/simplesaml/ , select the Authentication tab -> Test Authentication sources -> default-sp and select "$company IdP test server", I am correctly redirected to the wso2 server and presented with the "SAML 2.0 based Single Sign-On" page.

This is where I hit problems. I don't seem to be able to authenticate using any user I have created, either using Add User, or Sign up.

I only get the following in the Carbon logs:

[2013-01-29 11:36:57,269]  WARN {org.wso2.carbon.identity.sso.saml.processors.AuthnRequestProcessor} -  Authentication Failure, invalid username or password.

The users are in the default profile, which has the following configured as roles: "identity,everyone".

If I try to log in using the (default) admin:admin password, I seem to be able to authenticate, but simplesamlphp throws an exception:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 /var/simplesamlphp/lib/SAML2/Binding.php:95 (SAML2_Binding::getCurrentBinding)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:11 (require)
0 /var/simplesamlphp/www/module.php:135 (N/A)

I think I am hitting two issues here:

1) The users I am creating are unable to be authenticated using SAML - whereas the admin user can be. Why might this be? Profiles or policy issues?

2) Even if I could authenticate with a users I have created, other than admin, would I get the same Binding backtrace?

I have seen some traffic on the wso mailing lists in December 2012 around the binding WSO2 IS supports - am I fighting a losing battle here?

If simplesamlphp and WSO2 IS won't currently play well together, can someone from the WSO2 crowd suggest a simple method for testing SAML-2.0 against their IS?

Answer 1

If User can not login, it means that you have not configure login permission to that user... Please assign login permission to "everyrole" and check..

I guess one of my friend has tried the simplesamlphp integration with WSO2 Identity server, Please find blog post that he has written from there [1]. I guess this would help you.

[1] http://blog.facilelogin.com/2013/06/wso2-identity-server-saml2-idp-with.html