I've been struggling since a day now with simpleSAMLphp in IIS and I just managed to understand why.
So I have simpleSAMLphp running as IUSR in a separated application https://myserver/simpleSAMLphp. This (used only as SP) is configured with my AD FS environment (single IdP).
I then created a test simpleTest application which also runs as IUSR. Everything worked ok.
I finally added my real DEV application, which runs as mydomain\myserviceaccount and here I experience multiple redirects until I get some errors in simplesamlphp. After some troubleshooting, I realized that when I change my web app to use IUSR, it works as expected. Unfortunately, I can't keep my app to run as IUSR and I don't even want to change simpleSAMLphp to use the service account as in theory I may end up having multiple service accounts for each pool anyway.
Did anybody experience the same and has a workaround to allow another account to be able to work with the token provided by simpleSAMLphp?
My ultimate goal is to use a single instance of simpleSAMLphp and add all of my apps to use AD FS to login, so multiple SPs with 1 IdP.
This is the bit of code I'm using on the PHP pages to see if the user is already authenticated:
require_once ('C:\inetpub\wwwroot\simplesamlphp\lib\_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
if (!$as->isAuthenticated()) {
$params = array(
'ErrorURL' => '/MyApp/error.php',
);
$as->login($params);
}
Many thanks
