[Unity-idm-discuss] simplesamlphp SP - Unity - SAML IdP problem

[Michał J. <jan...@ma...>]

Hi,

I have the Unity with SAMLWebIdP and UserHomeUI endpoints configured 
with 2 authenticators: pwdWeb and samlWebPSNC (some config below). I 
have 2 entities, one local with password credential (userA), the second 
with remote SAML authentication (userB). Both authenticators work 
correctly for UserHomeUI, as I can login as the two entities. Both 
entities are members of /eduGAIN group (the "SAML" entity got the group 
automatically by translation profile).

I encounter problem while signing into a test simplesaml portal using 
Unity and samlWebPSNC authenticator (userB):

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: sspmod_saml_Error: Responder:*_attribute type [memberOf] does not exist_*
Backtrace:
3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
0 /var/simplesamlphp/www/module.php:137 (N/A)

There is no problem with using pwdWeb (userA) -the portal displays 
attributes.

What makes things even more strange, the following sequence also works 
correctly:

 1. click authenticate in simplesamlphp
 2. on Unity login page select password authentication in Unity, provide
    credentials (userA), click authenticate
 3. "A remote service has requested ..." page is displayed, click "Login
    as another user"
 4. select the SAML IdP on Unity login page
 5. login to the IdP as userB
 6. you get back to simplesaml and the attrs of userB are displayed
    correctly

Note, that the above fails if you skip 2 and 3.

Trying to solve the issue I've played with out translation profile 
trying to manually set "memberOf", but with the same result.

Unity log in all cases (correct and incorrect) has no error and claims 
that "memberOf" was set to the groups the user actually belongs. 
Simplesamlphp logs in case of error contain the mentioned above error 
message. Still, I expect the problem is on Unity side as the displayed 
error is basically Unity response.

I have Unity 2.3.0 (the same happens on 2.1.0 and 2.2.0).

What may be wrong?

Best,
   Michal Jankowski

PS. My config is based on Unity's HOWTO (suggests only a few settings). 
In the contrary to it the manual suggests that some more settings are 
mandatory.



unityServer.conf:

unityServer.core.endpoints.2.endpointType=SAMLWebIdP
unityServer.core.endpoints.2.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
unityServer.core.endpoints.2.contextPath=/saml-idp
unityServer.core.endpoints.2.endpointRealm=defaultRealm
unityServer.core.endpoints.2.endpointName=UNITY SAML web authentication
unityServer.core.endpoints.2.endpointAuthenticators=pwdWeb;certWeb;samlWebPSNC;samlWebIPP


saml-webidp.properties:

unity.saml.issuerURI=https://unity.xxx.psnc.pl
unity.saml.credential=MAIN
unity.saml.defaultGroup=/eduGAIN
unity.saml.spAcceptPolicy=validRequester
unity.saml.acceptedSP.1.entity=https://xxx.psnc.pl/simplesaml/module.php/saml/sp/metadata.php/default-sp
unity.saml.acceptedSP.1.returnURL=https://xxx.psnc.pl/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp