Single Sign-on to Azure AD using SimpleSAMLphp

You may also like...

26 Responses

  1. Sebastião Burnay says:

    Hi Lewis!

    First of all, thank you for sharing your know-How on SSO to Azure with SAML+PHP.

    I’ve tried following your directions, but unfortunately I’ve had no success.

    I keep geting the error ‘State information lost’ and Iget the folowing debug information:
    «
    SimpleSAML_Error_NoState: NOSTATE
    Backtrace:
    2 /var/www/html/simplesamlphp/lib/SimpleSAML/Auth/State.php:225 (SimpleSAML_Auth_State::loadState)
    1 /var/www/html/simplesamlphp/modules/saml/www/sp/saml2-acs.php:63 (require)
    0 /var/www/html/simplesamlphp/www/module.php:134 (N/A)
    »

    I’m really looking forward to surpass this obstacle as I’m sure I will find it again and again in future projects

    Best Regards,
    Sebastião Burnay

  2. Lewis says:

    Hi Sebastio, it reads to me as a potential issue with session state. Assuming you’ve configured on Windows, it’s worth testing if the normal PHP session state is working as you expect on your installation. It’s difficult to suggest how you might achieve this yourself but there’s plenty of guidance on the PHP.net site.

    Also, PHP as installed on Windows will place entries in your Application event log when it fails to load and it could lead you to the answer.

    Lastly, don’t ignore the PHP logs as they can also help identify the issue.

    As mentioned though, I would be looking very closely at PHP session storage.

    Hope this helps.
    Lewis

  3. Sebastião Burnay says:

    Yes,

    We’ve changed the ‘ Session.use_cookies’ on our php.ini from Off to On (0 to 1) and restarted our apache server.

    Afterwards it worked properly 🙂

    Thanks a lot

  4. Sebastião Burnay says:

    Yes,
    We’ve changed the ‘ Session.use_cookies’ on our php.ini from Off to On (0 to 1) and restarted our apache server.
    Afterwards it worked properly 🙂

    Yet, only users with ‘Sourced From’ = ‘Microsoft Azure Active Directory’ can login trough this App and the majority of users in my WAAD have ‘Sourced From’ = ‘Local Active Directory’

    Does this ring a bell to you?

  5. Lewis says:

    Hi Sebastião, I’m glad we’ve got you past that point. 🙂
    How have you configured your Azure AD Connect synchronisation server? Are you using ADFS?
    If you’re not using ADFS (federation), you would need to make sure that “password sync” is enabled on your Azure AD Connect synchronisation server (and that a sync has performed successfully!) so that the users’ on-premises passwords are synchronised in to the Azure AD directory. The best thing to do is simply test if they can log on using the https://portal.office.com/ site. It doesn’t matter if they have a licence or not but it proves your Azure AD users can log-on.

  6. Sebastião Burnay says:

    Yep,

    Those criteria were all matched.

    After speaking with the AD’s SysAdmin we’ve discovered the «new» issue was related to an unproper assignment of an E1 licence.

    After the licencing of the E1 account was done, the SignOn was successfull.

    Once again thank you so much for your know-how, sharing spirit and availability.

    Best regards,
    Sebastião Burnay

  7. Vincent says:

    Hello,

    Thanks for your post.
    I’m looking for the same things but with a php web app hosting directly on Azure.
    Did you know how to do that ?

    Thanks in advance,

    best regards

    Vincent

  8. Vincent F says:

    Hello,

    First of all, thank you very much for sharing your know-How on SSO to Azure with SAML+PHP.

    I’m looking for doing the same thing but with an azure website, did you know how to install simplesaml on an Azure website ?

    Thanks !

    regards

  9. Vincent F says:

    Hello,

    Forget my last question, I’ve found the answer 🙂

    Just extract simplesamlphp at the same level than wwwroot and create a virtual application in the webapp configuration like you do in IIS.

    thanks !

  10. Lewis says:

    Good to know Vincent, that is what I would have guessed so thank you for confirming!

  11. Suchart says:

    Hi Lewis.

    Thanks for the article. I follow all the steps, but the problem now Login “AADSTS75005: The request is not a valid Saml2 protocol message.” The link https://login.microsoftonline.com/c1542126-0b6c-4c45-980c-b7c98b2afee3/saml2.
    I’d better check the error are.

    thanks !

  12. Shraddha says:

    Hello Lewis,

    Very clear and neat explaination. Thank You.
    I was fighting with htis SSO very badly.

    Your article saved me.
    Thank You once again!!

  13. anil says:

    Hello Lewis, very nice document. i have used this for configuration.

    do you have similar document for configuring SAML using IBM TIVOLI? i could not find any post on this.

  14. Joe says:

    You’re a lifesaver. I’m having to support a legacy application with this set up and no documentation to support what was done to get it up and running. It made for a pretty decent needle in a haystack to try to figure out what needed fixing, but your guide filled in a lot of blanks for me.

    Very clear and concise, especially for someone who has never worked with Azure or SSO before. Couldn’t ask for more.

    Thank you!

  15. Clarence Langan says:

    Many thanks for posting this its great for everyone:-).

  16. Josh Heglund says:

    Thanks Lewis for the guide. Very helpful.

    I’ve written a follow up that tends to a few different needs:
    1. Hosting on Apache / Ubuntu instead of IIS
    2. Setting up metadata refresh (so it doesn’t suddenly stop working a few months later).
    3. Configuring a free certificate with letsencrypt.org

    Hopefully this helps someone!

    https://notehub.org/v2d6o

  17. Mickael says:

    Hello Lewis,
    Great Guideline, it was really helpfull.
    Now what can I do if I want my website authorize multiple SP ?
    For now I have a Login page where I ask users to enter mail address then I calculate the good SP to redirect to.
    But users need to enter their mail address again.
    I need a solution to save users mail address then put-it in the login form of azure.
    I didn’t find any solution maybe you can help.
    Thanks,

  18. Balaji says:

    Hi Lewis,

    I am trying to configure Azure AD as an IDP to SimpleSAMLPHP (SP), I have created an APP in Azure and configured all the URLs
    Sign-On URL to Assertion Consumer Service URL
    APP ID to MetaData EntityID
    Reply URL to Assertion Consumer Service URL

    When I click on the APP I created it redirects to my AssertionService URL after authenticating with https://login.microsoftonline.com/common/oauth2/authorize but on the return I do not see SAMLRESPONSE without it SIMPLESAMLPHP will not proceed further and it stops there.

    Could you please let me know what I could be missing here.

    Thanks
    Balaji

  19. Marko says:

    I get error from Azure login that https://my.sso.domain.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp does not match the reply addresses configured for the application.

    Your tutorial did not mention saml2-acs.php ? Should I add it, so should it be there with the metadata.php?

    And if so, what is rationale here?

  20. Christian says:

    First, thank you very much for your manual.
    I was able to adapt nerly every thing to my Office 365 Tenant and the new Azure Interface. Had to do some stuff a little bit different.

    I did not found the Link in the Azure Interface, Google helped me to find out: To get the Metadata XML i had to open the following adress:
    https://login.microsoftonline.com/mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml

    As “entityID” in the “authsources.php” i hat to enter my ApplicationID (for example: 1a234b56-7ab8-901a-bb12-345a6789b10c), not the Entered adress (for example: https://sso.mydomain.com)

    Now I am able to do the authentification in Office 365, but then (back in SimpleSAMLphp) i get the following Error-Message:

    SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
    Backtrace:
    0 D:\WWW\domain-ch\sso\saml\www\module.php:180 (N/A)
    Caused by: SimpleSAML_Error_Exception: This SP [1a234b56-7ab8-901a-bb12-345a6789b10c] is not a valid audience for the assertion. Candidates were: [spn:1a234b56-7ab8-901a-bb12-345a6789b10c]
    Backtrace:
    3 D:\WWW\domain-ch\sso\saml\modules\saml\lib\Message.php:584 (sspmod_saml_Message::processAssertion)
    2 D:\WWW\domain-ch\sso\saml\modules\saml\lib\Message.php:524 (sspmod_saml_Message::processResponse)
    1 D:\WWW\domain-ch\sso\saml\modules\saml\www\sp\saml2-acs.php:120 (require)
    0 D:\WWW\domain-ch\sso\saml\www\module.php:137 (N/A)

  21. @Christian: I ran into the same issue with the invalid audience. Changing the entityID to “spn:” instead of only “” seems to have solved the problem.

  22. My apologies. “less than” and “greater than” characters were stripped from my previous comment. It was supposed to be “spn:” followed by the App ID GUID instead of only the App ID GUID.

  23. Enzo says:

    Hey Lewis,

    Just wanted to thank you for this, and your previous post on Azure AD 🙂
    It’s been a terrific help, and your instructions were very clear, and easy to follow!
    Good luck on your other posts! 🙂

  24. Tony Jones says:

    Thanks for this tried-and-true recipe, Lewis. It works!
    I wonder if you have any advice on how to get additional AD attributes from the SAML response from Azure.

  25. Anthony Akpan says:

    @Robert Fridén you might have saved my job!!! lol i saw the spn: thing and didnt think it would make a difference. Been struggling with this for weeks

  26. Andrew Beak says:

    Thanks for a great article, it was really helpful.

    When I got to the point where the reply url was misconfigured I found that the error message did not include what it should be.

    I had to use an online SAML decoder (google and you shall find) and paste in the GET parameter. That spat out the xml where the reply url was clearly visible. Note that this is not the “relay” parameter which is urlencoded in the url.

Leave a Reply

Your email address will not be published. Required fields are marked *