simpleSAMLphp with IIS and different Application Pool identities












0















I've been struggling since a day now with simpleSAMLphp in IIS and I just managed to understand why.



So I have simpleSAMLphp running as IUSR in a separated application https://myserver/simpleSAMLphp.
This (used only as SP) is configured with my AD FS environment (single IdP).



I then created a test simpleTest application which also runs as IUSR. Everything worked ok.



I finally added my real DEV application, which runs as mydomainmyserviceaccount and here I experience multiple redirects until I get some errors in simplesamlphp. After some troubleshooting, I realized that when I change my web app to use IUSR, it works as expected. Unfortunately, I can't keep my app to run as IUSR and I don't even want to change simpleSAMLphp to use the service account as in theory I may end up having multiple service accounts for each pool anyway.



Did anybody experience the same and has a workaround to allow another account to be able to work with the token provided by simpleSAMLphp?



My ultimate goal is to use a single instance of simpleSAMLphp and add all of my apps to use AD FS to login, so multiple SPs with 1 IdP.



This is the bit of code I'm using on the PHP pages to see if the user is already authenticated:



require_once ('C:inetpubwwwrootsimplesamlphplib_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
if (!$as->isAuthenticated()) {
$params = array(
'ErrorURL' => '/MyApp/error.php',
);
$as->login($params);


}



Many thanks










share|improve this question





























    0















    I've been struggling since a day now with simpleSAMLphp in IIS and I just managed to understand why.



    So I have simpleSAMLphp running as IUSR in a separated application https://myserver/simpleSAMLphp.
    This (used only as SP) is configured with my AD FS environment (single IdP).



    I then created a test simpleTest application which also runs as IUSR. Everything worked ok.



    I finally added my real DEV application, which runs as mydomainmyserviceaccount and here I experience multiple redirects until I get some errors in simplesamlphp. After some troubleshooting, I realized that when I change my web app to use IUSR, it works as expected. Unfortunately, I can't keep my app to run as IUSR and I don't even want to change simpleSAMLphp to use the service account as in theory I may end up having multiple service accounts for each pool anyway.



    Did anybody experience the same and has a workaround to allow another account to be able to work with the token provided by simpleSAMLphp?



    My ultimate goal is to use a single instance of simpleSAMLphp and add all of my apps to use AD FS to login, so multiple SPs with 1 IdP.



    This is the bit of code I'm using on the PHP pages to see if the user is already authenticated:



    require_once ('C:inetpubwwwrootsimplesamlphplib_autoload.php');
    $as = new SimpleSAML_Auth_Simple('default-sp');
    if (!$as->isAuthenticated()) {
    $params = array(
    'ErrorURL' => '/MyApp/error.php',
    );
    $as->login($params);


    }



    Many thanks










    share|improve this question



























      0












      0








      0








      I've been struggling since a day now with simpleSAMLphp in IIS and I just managed to understand why.



      So I have simpleSAMLphp running as IUSR in a separated application https://myserver/simpleSAMLphp.
      This (used only as SP) is configured with my AD FS environment (single IdP).



      I then created a test simpleTest application which also runs as IUSR. Everything worked ok.



      I finally added my real DEV application, which runs as mydomainmyserviceaccount and here I experience multiple redirects until I get some errors in simplesamlphp. After some troubleshooting, I realized that when I change my web app to use IUSR, it works as expected. Unfortunately, I can't keep my app to run as IUSR and I don't even want to change simpleSAMLphp to use the service account as in theory I may end up having multiple service accounts for each pool anyway.



      Did anybody experience the same and has a workaround to allow another account to be able to work with the token provided by simpleSAMLphp?



      My ultimate goal is to use a single instance of simpleSAMLphp and add all of my apps to use AD FS to login, so multiple SPs with 1 IdP.



      This is the bit of code I'm using on the PHP pages to see if the user is already authenticated:



      require_once ('C:inetpubwwwrootsimplesamlphplib_autoload.php');
      $as = new SimpleSAML_Auth_Simple('default-sp');
      if (!$as->isAuthenticated()) {
      $params = array(
      'ErrorURL' => '/MyApp/error.php',
      );
      $as->login($params);


      }



      Many thanks










      share|improve this question
















      I've been struggling since a day now with simpleSAMLphp in IIS and I just managed to understand why.



      So I have simpleSAMLphp running as IUSR in a separated application https://myserver/simpleSAMLphp.
      This (used only as SP) is configured with my AD FS environment (single IdP).



      I then created a test simpleTest application which also runs as IUSR. Everything worked ok.



      I finally added my real DEV application, which runs as mydomainmyserviceaccount and here I experience multiple redirects until I get some errors in simplesamlphp. After some troubleshooting, I realized that when I change my web app to use IUSR, it works as expected. Unfortunately, I can't keep my app to run as IUSR and I don't even want to change simpleSAMLphp to use the service account as in theory I may end up having multiple service accounts for each pool anyway.



      Did anybody experience the same and has a workaround to allow another account to be able to work with the token provided by simpleSAMLphp?



      My ultimate goal is to use a single instance of simpleSAMLphp and add all of my apps to use AD FS to login, so multiple SPs with 1 IdP.



      This is the bit of code I'm using on the PHP pages to see if the user is already authenticated:



      require_once ('C:inetpubwwwrootsimplesamlphplib_autoload.php');
      $as = new SimpleSAML_Auth_Simple('default-sp');
      if (!$as->isAuthenticated()) {
      $params = array(
      'ErrorURL' => '/MyApp/error.php',
      );
      $as->login($params);


      }



      Many thanks







      php iis claims-based-identity simplesamlphp






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 '18 at 14:32







      Simone

















      asked Nov 20 '18 at 14:25









      SimoneSimone

      514




      514
























          1 Answer
          1






          active

          oldest

          votes


















          0














          I figured this out eventually, I hope this helps anybody using the same config as mine.



          So the issue was related to PERMISSIONS, for a change. What drove me off track was the fact that another SP was working fine, until I realized, that SP was also using IUSR.



          So if you want to use multiple SPs for multiple web apps running with different service accounts, the best is to run simpleSAMLphp's pool as a user who has local admin rights. Even running with SYSTEM worked during my testing, but I guess it's best to just get a new account set up for it.



          I've made various tests to confirm the above.



          Edit
          This is what I've done basically: https://www.itdroplets.com/simplesamlphp-on-iis-from-scratch-adfs/






          share|improve this answer

























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53395131%2fsimplesamlphp-with-iis-and-different-application-pool-identities%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            I figured this out eventually, I hope this helps anybody using the same config as mine.



            So the issue was related to PERMISSIONS, for a change. What drove me off track was the fact that another SP was working fine, until I realized, that SP was also using IUSR.



            So if you want to use multiple SPs for multiple web apps running with different service accounts, the best is to run simpleSAMLphp's pool as a user who has local admin rights. Even running with SYSTEM worked during my testing, but I guess it's best to just get a new account set up for it.



            I've made various tests to confirm the above.



            Edit
            This is what I've done basically: https://www.itdroplets.com/simplesamlphp-on-iis-from-scratch-adfs/






            share|improve this answer






























              0














              I figured this out eventually, I hope this helps anybody using the same config as mine.



              So the issue was related to PERMISSIONS, for a change. What drove me off track was the fact that another SP was working fine, until I realized, that SP was also using IUSR.



              So if you want to use multiple SPs for multiple web apps running with different service accounts, the best is to run simpleSAMLphp's pool as a user who has local admin rights. Even running with SYSTEM worked during my testing, but I guess it's best to just get a new account set up for it.



              I've made various tests to confirm the above.



              Edit
              This is what I've done basically: https://www.itdroplets.com/simplesamlphp-on-iis-from-scratch-adfs/






              share|improve this answer




























                0












                0








                0







                I figured this out eventually, I hope this helps anybody using the same config as mine.



                So the issue was related to PERMISSIONS, for a change. What drove me off track was the fact that another SP was working fine, until I realized, that SP was also using IUSR.



                So if you want to use multiple SPs for multiple web apps running with different service accounts, the best is to run simpleSAMLphp's pool as a user who has local admin rights. Even running with SYSTEM worked during my testing, but I guess it's best to just get a new account set up for it.



                I've made various tests to confirm the above.



                Edit
                This is what I've done basically: https://www.itdroplets.com/simplesamlphp-on-iis-from-scratch-adfs/






                share|improve this answer















                I figured this out eventually, I hope this helps anybody using the same config as mine.



                So the issue was related to PERMISSIONS, for a change. What drove me off track was the fact that another SP was working fine, until I realized, that SP was also using IUSR.



                So if you want to use multiple SPs for multiple web apps running with different service accounts, the best is to run simpleSAMLphp's pool as a user who has local admin rights. Even running with SYSTEM worked during my testing, but I guess it's best to just get a new account set up for it.



                I've made various tests to confirm the above.



                Edit
                This is what I've done basically: https://www.itdroplets.com/simplesamlphp-on-iis-from-scratch-adfs/







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 23 '18 at 14:31

























                answered Nov 21 '18 at 10:09









                SimoneSimone

                514




                514
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53395131%2fsimplesamlphp-with-iis-and-different-application-pool-identities%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?