Bug if you follow the doc on idp-remote

[flartet]

The problem happens following the doc and testing the SP

Specifics of your environment

1. Acting as SP
2. SimpleSAMLphp: 2.3.2?
3. PHP: 8.2
4. Platform: ubuntu 22
5. Webserver: Apache

Describe the bug
The documentation here
https://simplesamlphp.org/docs/stable/simplesamlphp-sp.html
describes the idp as

<?php
$metadata['https://example.org/saml-idp'] = [
    'SingleSignOnService'  => 'https://example.org/simplesaml/saml2/idp/SSOService.php',
    'SingleLogoutService'  => 'https://example.org/simplesaml/saml2/idp/SingleLogoutService.php',
    'certificate'          => 'example.pem',
];

but if you do this with a Shibboleth (and I guess others Idp), simplesaml is complaining about having a string and not an array for SingleSignOnService, SingleLogoutService.
In fact, when you go deeper on the doc
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote.html
You can see the SingleSignOnService entry that points on https://simplesamlphp.org/docs/stable/simplesamlphp-metadata-endpoints.html
and on endpoints format you have the proper format, ex :

  'SingleLogoutService' => [
      [
          'Location' => 'https://sp.example.org/LogoutRequest',
          'ResponseLocation' => 'https://sp.example.org/LogoutResponse',
          'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      ],
  ],

So, in the first page, the doc is wrong but I don't know the format with simplesaml as i'm using shibboleth.
I solved it using the xml idp metadata converter which is the right tool to use. I suggest to suggest in the doc to use it first if the users already have a working IdP, it could save hours and debugging the error in sp testing that doesn't explain anything.

If you gimme the proper format i can pull request for you.

Thanks !

[monkeyiq]

I recall some recent code clean up around the single string format... seems to be around... #2130

[edit] 2130 seems to be around AssertionConsumerService not SAML2\XML\md\EndpointType.

I will update simplesamlphp-sp.html to reflect the no single string format now.

[monkeyiq]

It seems also one of the dist config files is using the older single string removed endpoint format...

simplesamlphp/metadata/saml20-sp-remote.php.dist

Line 14 in 01588ee

'SingleLogoutService' => 'https://saml2sp.example.org/module.php/saml/sp/saml2-logout.php/default-sp',

[monkeyiq]

This gets a bit stranger. In 2.3 (and 2.4) the testGetEndpoints uses the full location/binding format.

simplesamlphp/tests/src/SimpleSAML/ConfigurationTest.php

Line 900 in e307bad

public function testGetEndpoints(): void

The same test in master is using the single string format and expecting to see that converted automatically to a Location/Binding array:

simplesamlphp/tests/src/SimpleSAML/ConfigurationTest.php

Line 904 in 01588ee

'SingleSignOnService' => 'https://example.com/endpoint.php',

[tvdijen]

The test in master is probably failing now, but because there are so many CI-errors, it's easy to miss..

[monkeyiq]

I have gone over the web site looking for old endpoint references. I am leaving this open as a reminder to do the same for php.dist files too.