Menu
▾
▴
Re: [Unity-idm-discuss] simplesamlphp SP - Unity - SAML IdP problem
|
From: Krzysztof B. <kb...@un...> - 2017-12-13 09:32:55
|
Hi Michał, W dniu 12.12.2017 o 15:39, Michał Jankowski pisze: > Hi, > > I have the Unity with SAMLWebIdP and UserHomeUI endpoints configured > with 2 authenticators: pwdWeb and samlWebPSNC (some config below). I > have 2 entities, one local with password credential (userA), the second > with remote SAML authentication (userB). Both authenticators work > correctly for UserHomeUI, as I can login as the two entities. Both > entities are members of /eduGAIN group (the "SAML" entity got the group > automatically by translation profile). > > I encounter problem while signing into a test simplesaml portal using > Unity and samlWebPSNC authenticator (userB): > > SimpleSAML_Error_Error: UNHANDLEDEXCEPTION > > Backtrace: > 0 /var/simplesamlphp/www/module.php:180 (N/A) > Caused by: sspmod_saml_Error: Responder:*_attribute type [memberOf] does not exist_* > Backtrace: > 3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError) > 2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse) > 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require) > 0 /var/simplesamlphp/www/module.php:137 (N/A) > > There is no problem with using pwdWeb (userA) -the portal displays > attributes. > > What makes things even more strange, the following sequence also works > correctly: > > 1. click authenticate in simplesamlphp > 2. on Unity login page select password authentication in Unity, provide > credentials (userA), click authenticate > 3. "A remote service has requested ..." page is displayed, click "Login > as another user" > 4. select the SAML IdP on Unity login page > 5. login to the IdP as userB > 6. you get back to simplesaml and the attrs of userB are displayed > correctly > > Note, that the above fails if you skip 2 and 3. > > Trying to solve the issue I've played with out translation profile > trying to manually set "memberOf", but with the same result. > > Unity log in all cases (correct and incorrect) has no error and claims > that "memberOf" was set to the groups the user actually belongs. > Simplesamlphp logs in case of error contain the mentioned above error > message. Still, I expect the problem is on Unity side as the displayed > error is basically Unity response. > > I have Unity 2.3.0 (the same happens on 2.1.0 and 2.2.0). > > What may be wrong? So to put the problem in a short way memberOf attribute is expected on SP but in some cases it is not there? I'd try to enable DEBUG logging on unity.server.externaltranslation (and SAML) and check what precisely happens. Cheers, Krzysztof |
