I am a novice for Azure SSO so I might have missed some obvious things here - please have that in mind ;-)
I need to integrate my application to Azure Active Directory. There is not much help to get in our organisation for that so I am left for myself to find the problem here :-/ My exact problem is that when I login then I get this error from Azure:
AADSTS50011: The reply URL specified in the request does not match the
reply URLs configured for the application: 'https://192.168.0.1/secure/'.
I have of course searched for how to solve this myself but I didn't find anything that could get me any closer.
I have this setup:
I have not setup nor access to the Azure part as this is setup by our IT guys but they have setup this:
Basic SAML Configuration
Identifier (Entity ID) : https://192.168.0.1/secure/
Reply URL (Assertion Consumer Service URL) : https://192.168.0.1/secure/
Sign on URL : Optional
Relay State : Optional
Logout URL : Optional
I have recived a federation XML file from Azure and have converted/populated that in to the simpleSAMLphp file \metadata\saml20-idp-remote.php
I have setup the \config\authsources.php file:
'entityID' => "https://192.168.0.1/secure/",
'idp' => "https://sts.windows.net/06dg12k9-1wl2-4mue-79gh-40ff1a8dnd4a/",
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'eduPersonTargetedID',
Everything has been configured with this guide in mind, https://www.lewisroberts.com/2015/09/05/single-sign-on-to-azure-ad-using-simplesamlphp/
When I launch https://192.168.0.1/simpleSAMLphp/www/ and go to Authentication and Test configured authentication sources and I test with default-sp then I do get an Azure login screen. If I view the URL for that then it looks like this:
https://login.microsoftonline.com/0ad94219-6af5-474e-99d0-60f9188f3fce/saml2
?SAMLRequest=f[CUT]2Fy%2Fi%2Bjc%3D
&RelayState=https%3A%2F%2F192.168.0.1%2FsimpleSAMLphp%2Fwww%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddefault-sp
I assume the RelayState is where the request comes from on my server. I have tried to setup the Entity ID and Reply URL in Azure to be https://192.168.0.1/simpleSAMLphp/www/module.php/core/authenticate.php?as=default-sp but with the same result.
So I have provided everything I know here but I am really blank on how to fix this problem? Do I need to configure a Reply URL in simpleSAMLphp so it is passed as an URL parameter?
Any help would really be appreciated.
### UPDATE 1 - another problem ###
After revising the logfile from simpleSAMLphp then it showed what was sent to Azure:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_25e3fb2" Version="2.0" Destination="https://login.microsoftonline.com/088f3fce/saml2" AssertionConsumerServiceURL="https://192.168.0.1/simpleSAMLphp/www/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>https://192.168.0.1/simpleSAMLphp/www/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/>
</samlp:AuthnRequest>
I then took the AssertionConsumerServiceURL from there and used that as Reply URL in Azure. Also I took the Entity ID from the simpleSAMLphp Federation page and now the simpleSAMLphp demo page works :-)
So my Azure setup now looks like this:
Basic SAML Configuration
Identifier (Entity ID) : https://192.168.0.1/simpleSAMLphp/www/module.php/saml/sp/metadata.php/default-sp
Reply URL (Assertion Consumer Service URL) : https://192.168.0.1/simpleSAMLphp/www/module.php/saml/sp/saml2-acs.php/default-sp
Sign on URL : Optional
Relay State : Optional
Logout URL : Optional
(note the difference in the URL)
However I sadly still have problems. When I have a PHP file in my web scope with this content:
<?PHP
require_once ("../../simpleSAMLphp/lib/_autoload.php");
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
echo '<pre>';
print_r($attributes);
echo '</pre>';
// Get a logout URL
$url = $as->getLogoutURL();
echo '<a href="' . htmlspecialchars($url) . '">Logout</a>';
?>
Then it ends up in an infinite loop redirecting between my server and Azure!? Viewing the log provide no major insight for me. It seems that I do receive data from Azure and that I am authenticated as I can see the user attributes in the debug log but ... if I am authenticated then why am I redirected back to Azure!?
### UPDATE 2 - solution ###
After a few more hours of looking in the simpleSAMLphp logfile and cleaning out the WARNINGS (they are actually important) then I found out that my infinite redirection was caused by a mismatch between the PHP sessions and simpleSAMLphp sessions.
My solution was to align the two and have the exact same settings all places. Make sure to check the php.ini session settings and the \config\config.php session settings and make them identical.
Also I found out that the PHP source code I have used is for an older version of simpleSAMLphp though I don't think it was a problem.
Instead of this old method:
$as = new SimpleSAML_Auth_Simple('default-sp');
Then it should be this new method:
$as = new \SimpleSAML\Auth\Simple('default-sp');
RelayState is just a parameter that is echoed back to your SP as-is. It can be used to store the page url the user tried to access before authentication, for example.
If you're using SAML2, the replyURL should be your AssertionConsumerService url in your SP metadata. Azure will send the SAML Response there. If that url differs from https://192.168.0.1/secure/ you will get that error. Even a missing trailing / will cause the error.