So, it’s been a frustrating few days debugging a supposedly simple single sign-on handshake conducted over SAML.

Further to my last post, here are a couple of gotchas that tripped me up.

Watch your session settings

If you’re using sessions, you need to make damn sure your cookie settings are the same in both your app and SimpleSAML’s config.php.

Sadly, this isn’t always possible, at least not without making an offering to the Elder Gods. SimpleSAMLPHP’s settings are fiddly, and in the time I was poking at it, I couldn’t find a way of getting it to entirely match the application’s more enhanced security settings (we, for example, stipulate various ini flags and up the session’s hash algorithm).

SimpleSAMLPHP also seems to have a habit of generating its own session ids, although I might have been blinking at the source too long.

Either way, I ended up commenting out the session initialisation code in SessionHandlerPHP::__construct() and replacing every instance of the session starting code with a call to the app’s session initialisation code.

This adds some maintenance debt, but life is too short.

Debug in incognito mode

If you’ve been banging your head against session problems for long, you’ll have a lot of cruft in your cookie jar.

A hard learnt lesson (obvious in hindsight) was that even if the code works, it’ll likely fail with our old friend Exception: The POST data we should restore was lost.

The simplest way of ensuring you’re going to be clicking through with a fresh session is to use your browser’s incognito mode to test, and after each test shut down all of these windows (they share a context, so you’ve got to close all tabs and windows to fully clear the context) and open a new one.

Hopefully this might save you some time and frustration.

I needed some tools for talking to the Known API from the command line in order to play around with a few ideas I’ve been having.

So, I put together a few BASH shell scripts.


  • Install the prerequisites: curl php_cli python openssl base64
  • Check out the repository and add it to your system path.

Note, due to this bug, you’ll need to be running the latest version of Known if you want to use the syndication functionality.

Talking to Known

The first thing you’ll need (other than a Known account of course) is to get your API key, you can find this in your settings page under “Tools and Apps”.

You can then use those as parameters to For example, to make a status update you’d type:

echo "body=my+data" | *username* *apikey*

Of course, you might want to use one of the wrapper scripts like, which also supports syndication e.g:

echo "my tweet" | *username* *apikey* twitter::username

If successful, the scripts will output a JSON representation of what the API says.

Have fun!

» Visit the project on Github...

Over on github, I’ve just pushed a little tool which I use during the development of Elgg sites and find very handy.

The tool does nothing more than append some environment information – logged in user, page owner, session etc – to the page shell in a HTML comment block. This information can be invaluable when trying to debug an Elgg site, and because the plugin renders this in a very light weight way, it shouldn’t interfere with anything else your site has got going on.

As usual, code on github…

» Visit the project on Github…