SAML bindings for SSO for SimpleSAMLphp SP with PingFederate IdP

1
votes

I have a PingFederate IdP set up and I want to enable SSO to my SimpleSAMLphp based SP. The PingFederate configuration requires SAML requests to be sent with POST bindings, as well as the LogoutRequest as a POST request. SimpleSAML sends SAML requests to the SignOnService in default HTTP-Redirect binding. I tried changing the binding of the idp in the saml20-idp-remote.php in the following way:

'SingleSignOnService' => array(
                                0 => array(
                                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                                        'Location' => 'https://myidp.com'
                                ),
                        ),

When I try to test the authentication, after selecting the IdP, I get the following error:

Exception during login:
Exception: saml20-idp-remote/'stagingsp'['SingleSignOnService']:Could not find a supported SingleSignOnService endpoint.

Am I not setting the correct binding, or am I doing it in an incorrect way? Is some configuration required in the SP metadata?

1
simplesamlphp
Did you edited that binding manually? If yes, you shouldn't (saml20-idp-remote.php is the file where parsed metadata from IdP lands to)Karol Flis

1 Answers

0
votes

Did you exchange metadata between parties? This is meant to work as two-way communication. You have to exchange metadata (i.e. as .xml files) between IdP and SP.

Generally it should look like this:
- Generate metadata file (in PingFederate/IdP), and send it to SP.
- SP registers that metadata file
- SP generates own metadata file, and sends it to IdP
- IdP regeisters metadata from SP

This way both parties know about each other, know each other SingleSignOn and SingleLogOut URLs