EntityID when using IDP and SP plugins

[rtrudel]

Planning to buy both plugins, had to test it first. My plan is to have a identity provider where several services (which will be different SaaS) will share the same users pool.

To reproduce:

I fresh installed 2 Craft in pro trial mode:

dev.auth.mydomain.com where SAML Identity provider is installed dev.test.mydomain.com where SAML Service provider is installed No other plugin installed (except Key Chain which installed automatically of course)

For test purposes, both sites are on same server, but independant installations.

I configured both, but on my "service provider" site, the pulled Entity ID from metadata is wrong. (it shows dev.test.mydomain.com instead of dev.auth.mydomain.com but in the metadata below, it shows entityID="https://dev.auth.mydomain.com/")

Questions:

• Can it be because both sites are under same domain?
• Can it be because both sites are under "dev" subdomains?
• Is it a parsing problem which I can solve ?

Thank you

[dsmrt]

Hi!

Quick fyi: entity id will default to the base url so as long as it wasn’t set in the setting (thru the cp), by the config/saml-sp.php, or by the project config it will dynamically be set via the base url.

First off, i assume you are using different dbs for the 2 sites? Or at least different prefixes. Basically, they should use the same db if possible. I dev the sp and the idp on a shared file system but i do a couple things to make it work. I have both pointing to different dbs.

I’m assuming you set the Entity Id in the settings or in the config/saml-sp.php. Check the value there and see if it matches the base url/host name. I think you can delete the value in the form input to wipe it ... let me know if that doesn’t work.

Also, Are you using project config? Check the value there and use environmental variables if needed. You can also just delete the line thats contains the entity id to reset it to the default.

Let me know if none of this helps and we can go from there.

[rtrudel]

Hi thanks for this answer.

Just to clarify, it's two sites totally independent, different databases, different subdomains, different CPs.

I am not using project config at this point, it's only test environments.

I will try to set the base URL in the CP (in Sites I guess?) I will also check into config/saml-sp.php, I didn't realized the proper Entity ID could require this as I thought the EntityID was parsed out of the XML in the field below.

I will give it a try tomorrow when i'll be back at office.

I really appreciate your response and I'll keep you informed.

[rtrudel]

I thought it was solved, but it seems not.

I changed the Base URL of the Site (in CP/Sites and it was already set in .env as DEFAULT_SITE_URL), the Entity ID of my IDP in my service site is still not pulled from the metadata XML, but still show it's own URL instead.

I still missed something?

[dsmrt]

Note that the entity Id is pulled dynamically on save so you may have to re-save the provider if things aren't lining up correctly.

Go here and see if there's anything configured:/admin/saml-sp/metadata/my-provider If there's nothing configured, just save/add a new one by hitting save. Then check to see if you see one of the SPs label with (My Provider). That means things are working correctly.

If that doesn't work, then you have a setting that needs to be fixed. Use your new environmental variable here: /admin/saml-sp/settings and save the settings. Then resave the provider (/admin/saml-sp/metadata/my-provider).

[rtrudel]

The problem occurs in "Edit Identity Provider (IDP)" in /admin/saml-sp/metadata/2#metadata on the site where the Service Provider plugin is installed.

On the site where the Identify Provider plugin is installed, this seems to be correct.

I tried to re-save both providers, on both sites, just in case, nothing changed.

I don't know if it's a bad configuration on my side, or a problem with one of the plugins (probably on my side) but I think I followed the instructions correctly, at least I think I understood it.

At this point, if you want me to give you access to those 2 sites to have a look on my settings, it can be done. I can also install a log viewer plugin or provide you an FTP access. There is nothing more than your plugins installed, so it's not messy yet 😆

[dsmrt]

Sure ... Can you send a message here? https://www.flipboxdigital.com/contact

[rtrudel]

Sure thing. Let me create you access (and also set the two sites in English for you, currently French). I'll then contact you.