ApplicationOverride and ECP

Scott Koranda skoranda at gmail.com
Tue Nov 29 17:02:52 GMT 2011 

Hello,

I am working with SP version 2.4.3.

Inside of <ApplicationDefaults> I have the following
<Sessions> element defined:

<Sessions lifetime="600" timeout="600" checkAddress="false" relayState="ss:mem" 
    relayStateLimit="exact" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html" 
    cookieProps="; path=/; secure">

    <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
        entityID="https://my.idp.server/idp/shibboleth">
        <SessionInitiator type="SAML2" acsIndex="3" ECP="true" />
        <SessionInitiator type="SAML2" ECP="true" template="bindingTemplate.html" />
    </SessionInitiator>

    <LogoutInitiator type="Chaining" Location="/Logout">
        <LogoutInitiator type="Local" />
    </LogoutInitiator>

    <md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
    <md:AssertionConsumerService Location="/SAML2/Artifact" index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
    <md:AssertionConsumerService Location="/SAML2/ECP" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>

    <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

    <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

    <Handler type="Status" Location="/Status" acl="127.0.0.1"/>

    <Handler type="Session" Location="/Session" showAttributeValues="false"/>

    <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>

Session initiation happens as I expect using a browser and
ECP works as well.

I also have this <ApplicationOverride> defined:

<ApplicationOverride id="wiki">
  <Sessions lifetime="86400" timeout="86400" handlerURL="/wiki/Shibboleth.sso" checkAddress="false" 
    relayState="ss:mem" relayStateLimit="exact" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html" cookieProps="; path=/; secure" />
</ApplicationOverride>

Session initiation when using a web browser happens as I
expect (content protection in the Apache httpd configuration
includes 'ShibRequestSetting applicationId wiki').

I cannot, however, use the same ECP client to initiate a
session when attempting to retrieve the same URL that the
browser retrieves. The SP returns a 302 redirect instead of
the expected SOAP packet.

My reading of

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride#NativeSPApplicationOverride-InheritanceRules

led me to believe that I did not have to define inside of the
<Sessions> element inside of <ApplicationOverride> any
<SessionInitiator> or other child elements because they would
be inherited from the default <ApplicationDefaults> element.

What mistake have I made so that I cannot leverage ECP for
the <ApplicationOverride>?

Thanks,

Scott K

More information about the users mailing list