RO Single Sign On

Installation steps for RO Single Sign On

| RO Single Sign On

There are several installation steps for RO Single Sign On to be completed to install and configure the extension.

  1. Install the pkg_ro_sso.zip
  2. Enable plugin Authentication - RO Single Sign In
  3. Create a symlink named sso to the folder libraries/simplesamlphp/public/ to prevent access from the web to this folder ln -sfn libraries/simplesamlphp/public sso
  4. Go to Components -> RO Single Sign On -> Configuration
  5. Set the basepath to sso/
  6. Fill in all other relevant details
  7. Click Save
  8. Go to Certificates
  9. Create your certificates
  10. Go to Identity Provider Profiles
  11. Click New
  12. Fill in all the fields
  13. Click Save & Close
  14. Setup the Identity Provider if needed
  15. Setup the Service Provider if needed
  16. Setup cron job to renew metadata information
    php /path/to/site/libraries/simplesamlphp/modules/metarefresh/bin/metarefresh.php METADATA URL

Read more ...

Exception: Unable to validate Signature

| RO Single Sign On

The error Exception: Unable to validate Signature means that the certificate data has changed.

The Identity Provider metadata must be refreshed to load the new certificate details. 

Read more ...

Failure signing data

| RO Single Sign On

The error Failure signing data means that the certificates are no longer up-to-date.

Recreate the certificate files in the cert folder. After the certificates have been recreated the metadata must be reloaded on either the Identity Provider or the Service Provider.

Read more ...

No private key found in metadata

| RO Single Sign On

The error No private key found in metadata is caused by missing certificates.

The option sign.logout is enabled in the authsources.php but no certificates are specified

Read more ...

Could not find the metadata of an IdP with entity ID / Metadata not found

| RO Single Sign On

This error can be caused by a faulty configuration on either the Identity Provider or the Service Provider.

Possible solutions are:

  • The Identity Provider metadata must be imported into the Service Provider
  • The password for the certificate file is incorrect
  • The idp as set in the file authsources.php must match the metadata key as set in the file metadata-generated/alias/saml20-idp-remote.php (the folder alias can be different as it depends on the alias of the Identity Provider profile created)

Import Identity Provider metadata

To import the data from the Identity Provider you need to do the following:

  1. Login to the Joomla administrator section
  2. Go to Components --> RO Single Sign On -> Identity Provider Profiles
  3. Select the Identity Provider for which the metadata needs to be read
  4. Click on Refresh Metadata

Password certificate file

If a private key file has been configured and the password is incorrect the login will fail as well because the data cannot be verified, so double check the password. This file is located in the folder libraries/simplesamlphp/cert To check if the password is correct you can run the following command from the command line where your private key is located. Replace YOURFILE with the actual name of your .pem file and YOURPASS with the actual password.

openssl pkey -in YOURFILE.pem -passin pass:YOURPASS -noout

If you get no response this means the password is valid, if you get any other output, the password is invalid.

Match metadata key

While connecting to an Identity Provider the request is checked if the answer is coming from a trusted Identity Provider. For the request to be processed the following 2 settings must match so the system knows which Identity Provider configuration to check. This concerns 2 files:

  • libraries/simplesamlphp/config/authsources.php
  • libraries/simplesamlphp/metadata-generated/alias/saml20-idp.remote.php

authsources.php

In this file you will find a configuration line called idp and that looks like this. The URL will be the URL of your Identity Provider.

'idp' => 'https://a/url/from/the/identity/provider',

saml20-idp-remote.php

This file is found in the folder libraries/simplesamlphp/metadata-generated and then a subfolder which has the name of the alias of the Identity Provider profile you created. The saml20-idp-remote.php file has the metadata of your Identity Provider. The first line in there contains the URL of your Identity Provider and looks like this.

$metadata['https://a/url/from/the/identity/provider'] = [

This URL and the URL in the authsources.php must match for it being able to be processed.

Read more ...