Search code examples
phplinuxsingle-sign-onsamlsimplesamlphp

simpleSAMLphp SP metadata returning entityID of http instead of expected https

I've currently got a simplesamlphp installation as a service provider on a CentOS server. I have the config/authsources.php defined as follows:

'default-sp' => array(
    'saml:SP',
    'entityID' => null,

When I access the /saml/ url via https and navigate to the 'Federation' tab, ie: https://my.sp/saml/module.php/core/frontpage_federation.php

I notice that the Entity ID returned is 'http' rather than 'https' (I would expect this to be https). It shows the following:

SAML 2.0 SP Metadata
Entity ID: http://my.sp/saml/module.php/saml/sp/metadata.php/default-sp
default-sp
[ Show metadata ]

When I then click the 'Show metadata' link to access the URL https://my.sp/saml/module.php/saml/sp/metadata.php/default-sp?output=xhtml (noting that url is correctly https), the metadata XML again is returning unexpected 'http' urls rather than 'https' urls for the entityID and the Locations. Note the following excerpt from the XML:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://my.sp/saml/module.php/saml/sp/metadata.php/default-sp">
    -- SNIP --
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://my.sp/saml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://my.sp/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://my.sp/saml/module.php/saml/sp/saml1-acs.php/default-sp" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://my.sp/saml/module.php/saml/sp/saml2-acs.php/default-sp" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://my.sp/saml/module.php/saml/sp/saml1-acs.php/default-sp/artifact" index="3"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

This is seemingly causing issues when sharing metadata with the remote IdP. So my question is, why is it returning http rather than https, and is there a way I can resolve this? I have chosen not to hardcode the entityID as I have 2 separate subdomains accessing the single SP, so thought it made sense to allow the currently used url to dictate this (this has worked for other installations). Any help would be appreciated.

Solution

  • Your Entity ID should be https:// in /apps/simplesamlphp/config/authsources.php and the reason why metadata XML again is returning unexpected http urls rather than https urls for the entityID in the Locations is because you may not have generated certificates, you will have to Create a self-signed certificate in the cert/ directory, if not created..

    I had the same situation while using auth_saml2 plugin in moodle. When I installed and configured simpleSAML php in my Centos by following the link https://simplesamlphp.org/docs/stable/simplesamlphp-sp the Federation tab was showing the SP metadata returned me https:// however when I used the same plugin for moodle application, the SP metadata was returning http:// rather than https:// so I regenerated the Certificate from the auth_saml2 plugin, and than the SP metadata returned me https