Infinite redirection to IDP

[ashutoshkumarmishra560]

Hi,

I have configured my Identity Provider with Moodle 3.8.8 using version 3.9 of this plugin and below is the observation:

1. Access Moodle.
2. I get redirected to IDP. I login to IDP
3. SAML token is posted to SimpleSaml and from there it attempts to go to Moodle.
4. Moodle again redirects to IDP.

Below are my SAML auth request and response: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e8f00a76734141ab8152ca793fed9bed6183e3def1" Version="2.0" IssueInstant="2021-04-30T08:40:40Z" Destination="http://localhost:8080/CIDSaas_Sprint32/default/user/spsso" AssertionConsumerServiceURL="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

http://saml.ilantus.com

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:81/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ID="IDAAS-3BG7kYSr8NJb12vxC33F" InResponseTo="_e8f00a76734141ab8152ca793fed9bed6183e3def1" IssueInstant="2021-04-30T08:40:48.267Z" Version="2.0"

http://issuer.ilantus.com http://issuer.ilantus.com CAzT5T52tg3LlXEoCE4caSTX4SY= Fq9BocT69bsyCOPUpZM7ZCjpJ9NpSBVhTFFXUSYBXSYF4RPhOc7kA5+1jDarpF44NC/y3Vwx3ryqWrpg1pkwjxKHj75OH1gObkkq7Jfuk61NPaKqW7DVtE8TbXTtLhsWtm2qo2R/AKa0ZBrdxEhEPvCtfLnQKuT/mToILkBNT0c= http://saml.ilantus.com urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Attaching the moodle configuration screenshots below:

[mfprimo]

Hi, in the request:

AssertionConsumerServiceURL="http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"

but in the response:

Destination="http://localhost:81/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"

(with port 81). Even if it is possible to handle this situation, are you sure SP cookies pass from the endpoint http://localhost and the http://localhost:81 one?

[ashutoshkumarmishra560]

Hi,

Thanks for the prompt reply and pointing out the same. So does it mean that SimpleSAML and Moodle can not run in separate instance but have to run in same Apache server? Pardon my ignorance but I was under the impression that SimpleSAML can exist in its independent instance as Moodle comes with its own independent setup.

[mfprimo]

The easiest config is SimpleSAMLphp as a path in the same virtual host of Moodle:

<VirtualHost *:443>
        DocumentRoot /your-moodle-root
        ....
        SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/simplesamlphp/config
        Alias /simplesaml /var/www/simplesamlphp/www
        <Directory /var/www/simplesamlphp/www>
            Require all granted
        </Directory>

with vh-specific ACS/metadata.

You can share an SSP installation and its SP metadata between multiple virtual hosts on the same server providing cookie domains and path are consistens.

[ashutoshkumarmishra560]

I now have both SimpleSaml and Moodle running on same server (localhost:81) as pointed out but observation is same. After IDP login the flow comes to SimpleSAML and from there it goes to Moodle and redirects it back to IDP.

[mfprimo]

Hi, please read closed issues #21, #39, #43, #45 with the same topic: none of them are caused by the plugin, all by a misconfiguration.

Check that:

• do not use phpsession as session store for SimpleSAMLphp: most of PHP applications with a bridge to SSP, including Moodle and Drupal, have an unexpected behviour with this config
• the SSP cookie has path / and a domain shared between the Moodle vh and the SSP vh
• trace SAML messages and HTTP header and send me a dump without sensitive data

[mfprimo]

Not a module issue