RO Single Sign On
Installation steps for RO Single Sign On
There are several installation steps for RO Single Sign On to be completed to install and configure the extension.
- Install the pkg_ro_sso.zip
- Enable plugin Authentication - RO Single Sign In
- Create a symlink named sso to the folder libraries/simplesamlphp/public/ to prevent access from the web to this folder ln -sfn libraries/simplesamlphp/public sso
- Go to Components -> RO Single Sign On -> Configuration
- Set the basepath to sso/
- Fill in all other relevant details
- Click Save
- Go to Certificates
- Create your certificates
- Go to Identity Provider Profiles
- Click New
- Fill in all the fields
- Click Save & Close
- Setup the Identity Provider if needed
- Setup the Service Provider if needed
- Setup cron job to renew metadata information
php /path/to/site/libraries/simplesamlphp/modules/metarefresh/bin/metarefresh.php METADATA URL
Exception: Unable to validate Signature
The error Exception: Unable to validate Signature means that the certificate data has changed.
The Identity Provider metadata must be refreshed to load the new certificate details.
Failure signing data
The error Failure signing data means that the certificates are no longer up-to-date.
Recreate the certificate files in the cert folder. After the certificates have been recreated the metadata must be reloaded on either the Identity Provider or the Service Provider.
No private key found in metadata
The error No private key found in metadata is caused by missing certificates.
The option sign.logout is enabled in the authsources.php but no certificates are specified
Could not find the metadata of an IdP with entity ID / Metadata not found
This error can be caused by a faulty configuration on either the Identity Provider or the Service Provider.
Possible solutions are:
- The Identity Provider metadata must be imported into the Service Provider
- The password for the certificate file is incorrect
- The idp as set in the file authsources.php must match the metadata key as set in the file metadata-generated/alias/saml20-idp-remote.php (the folder alias can be different as it depends on the alias of the Identity Provider profile created)
Import Identity Provider metadata
To import the data from the Identity Provider you need to do the following:
- Login to the Joomla administrator section
- Go to Components --> RO Single Sign On -> Identity Provider Profiles
- Select the Identity Provider for which the metadata needs to be read
- Click on Refresh Metadata
Password certificate file
If a private key file has been configured and the password is incorrect the login will fail as well because the data cannot be verified, so double check the password. This file is located in the folder libraries/simplesamlphp/cert To check if the password is correct you can run the following command from the command line where your private key is located. Replace YOURFILE with the actual name of your .pem file and YOURPASS with the actual password.
openssl pkey -in YOURFILE.pem -passin pass:YOURPASS -noout
If you get no response this means the password is valid, if you get any other output, the password is invalid.
Match metadata key
While connecting to an Identity Provider the request is checked if the answer is coming from a trusted Identity Provider. For the request to be processed the following 2 settings must match so the system knows which Identity Provider configuration to check. This concerns 2 files:
- libraries/simplesamlphp/config/authsources.php
- libraries/simplesamlphp/metadata-generated/alias/saml20-idp.remote.php
authsources.php
In this file you will find a configuration line called idp and that looks like this. The URL will be the URL of your Identity Provider.
'idp' => 'https://a/url/from/the/identity/provider',
saml20-idp-remote.php
This file is found in the folder libraries/simplesamlphp/metadata-generated and then a subfolder which has the name of the alias of the Identity Provider profile you created. The saml20-idp-remote.php file has the metadata of your Identity Provider. The first line in there contains the URL of your Identity Provider and looks like this.
$metadata['https://a/url/from/the/identity/provider'] = [
This URL and the URL in the authsources.php must match for it being able to be processed.