Note: This as been edited with current information since I am not yet able to comment on my own question.
I am starting to convert a SP application to use SimpleSamlPhp to authenticate against a remote IdP. I still have a lot to learn.
My test program appears to successfully log into the remote IdP. Control doesn't return from $as->login(). It repeats logging into the remote IdP until the remote IdP throws and exception and presents a page that there were too many login attempts.
I will appreciate any help and insight into the problem.
This snippet of the simplesamlphp log shows the problem.
Saved state: '_f734026657e1d8c2066917bf5049bcd4e8e5ea24e7'
Sending SAML 2 AuthnRequest to 'XXXX'
Redirect to 702 byte URL: https://infinitydev.sungard.com/idp-dev/XXXX?ClientID=XXXX_dev_15W&SAMLRequest=fVJhb9owEP0....&RelayState=https%3A%2F%2F10.255.255.0%2Fsimplesaml%2Ftest02.phparray (
Received SAML2 Response from 'XXXX'.
Has 1 candidate keys for validation.
Validation with key #0 failed without exception.
Has 1 candidate keys for validation.
Validation with key #0 succeeded.
Filter config for XXXX->XXXX_dev_15W: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Session: doLogin("default-sp")
/*$as->login() repeats with different values*/
Saved state: '_9d131d5be1069a4aa69abe830ef2f525da9ebb3109'
Sending SAML 2 AuthnRequest to 'XXXX'
Redirect to 692 byte URL: https://infinitydev.sungard.com/idp-dev/XXXX?ClientID=XXXX_dev_15W&SAMLRequest=fVLLbtswEPw....&RelayState=https%3A%2F%2FF10.255.255.0%2Fsimplesaml%2Ftest02.phparray (
Received SAML2 Response from 'XXXX'.
Has 1 candidate keys for validation.
Validation with key #0 failed without exception.
Has 1 candidate keys for validation.
Validation with key #0 succeeded.
Filter config for XXXX->XXXX_dev_15W: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Session: doLogin("default-sp")
It continues to repeat until remote IpD ends cycle and repeats 5 more times with the number of bytes in the URL changing each time.
This is my test program including debugging statements:
<?php
session_start();
require_once('control.php');
$scriptName = $control['ScriptSRC'];
$logName = $control['logName'];
/*
* start off with loading a file which registers the SimpleSAMLphp
* classes with the autoloader.
*/
require_once('/www/simplesamlphp/lib/_autoload.php');
// We select our authentication source:
$as = new \SimpleSAML\Auth\Simple('default-sp');
error_log(date('H:i:s',time()). " " . $scriptName .' returned from $as->login()' . "
",3,$logName);
if (isset($as) || $as != null)
//
// this entry appears in $logName, others
//
error_log(date('H:i:s',time()). " " . $scriptName .' $as created by SimplSaml _autoload.php' . "
",3,$logName);
else {
error_log(date('H:i:s',time()). " " . $scriptName .' SimplSaml _autoload.php unable to create $as' . "
",3,$logName);
exit();
}
// We then require authentication:
// $as->requireAuth();
# Send a passive authentication request.
$as->login(array(
'saml:idp' => 'CPRS',
'isPassive' => TRUE,
));
/*
* exit if authentication fails
*/
if (!$as->isAuthenticated()) {
echo "<html><head></head><body>";
echo "<h2>You ARE NOT authenticated!!!!</h2>";
echo "</body></html>";
exit();
}
echo '<script>alert("$as is authenticated");</script>';
/*
* And print the attributes:
*/
$attributes = $as->getAttributes();
// print_r($attributes);
$logOutput = '';
if (isset($attributes)) {
if (empty($attributesN)) {
$logOutput = " _SESSION is empty
";
} else {
foreach ($attributes as $key => $value) {
$alert = "key $key, value $value";
echo "<script>alert('$alert');</script>";
$logOutput = $logOutput . " $key = $value
";
}
}
} else {
echo "<script>alert('_attributes not set');</script>";
$logOutput = "_attributes is not set.
";
}
echo "<script>alert('_attributes have been read');</script>";
error_log(date('H:i:s',time()). " $logOutput
",3,$logName);
/*
* Each attribute name can be used as an index into $attributes to
* obtain the value. Every attribute value is an array - a single-valued
* attribute is an array of a single element.
*
*/
/*
* If we are using PHP sessions in SimpleSAMLphp and in the application we
* are protecting, SimpleSAMLphp will close any existing session when
* invoked for the first time, and its own session will prevail afterwards.
* If you want to restore your own session after calling SimpleSAMLphp, you
* can do so by cleaning up the session like this
**
$session = SimpleSAML_Session::getSessionFromRequest();
$session->cleanup();
*/
// Log the user out. After logging out, the user will either be redirected
// to another page, or a function will be called. This function never returns.
//$as->logout();
?>
The error log shows:
19:29:33 simplesaml $as created by SimplSaml _autoload.php
19:29:45 simplesaml $as created by SimplSaml _autoload.php
19:29:47 simplesaml $as created by SimplSaml _autoload.php
19:29:48 simplesaml $as created by SimplSaml _autoload.php
19:29:49 simplesaml $as created by SimplSaml _autoload.php
19:29:50 simplesaml $as created by SimplSaml _autoload.php