ApplicationOverride and ECP

Eric Dalquist eric.dalquist at
Tue Nov 29 17:10:36 GMT 2011

I think this may be the same issue that we were looking into with 
ScottC's help. I'm out of the office until mid-december so I can't test 
much more but if you look in the archives around 11/15 for a thread 
titled "Re: Delegated Auth with" there is a .cpp file that I was trying 
to add more debugging to (with no success as I have little C++ 
background and my logging was causing segfaults). Scott's guess at that 
point was that the ECP flag was not getting set correctly for app 
override blocks.


On 11/29/11 9:02 AM, Scott Koranda wrote:
> Hello,
> I am working with SP version 2.4.3.
> Inside of<ApplicationDefaults>  I have the following
> <Sessions>  element defined:
> <Sessions lifetime="600" timeout="600" checkAddress="false" relayState="ss:mem"
>      relayStateLimit="exact" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html"
>      cookieProps="; path=/; secure">
>      <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
>          entityID="https://my.idp.server/idp/shibboleth">
>          <SessionInitiator type="SAML2" acsIndex="3" ECP="true" />
>          <SessionInitiator type="SAML2" ECP="true" template="bindingTemplate.html" />
>      </SessionInitiator>
>      <LogoutInitiator type="Chaining" Location="/Logout">
>          <LogoutInitiator type="Local" />
>      </LogoutInitiator>
>      <md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
>      <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
>      <md:AssertionConsumerService Location="/SAML2/Artifact" index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
>      <md:AssertionConsumerService Location="/SAML2/ECP" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
>      <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
>      <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
>      <Handler type="Status" Location="/Status" acl=""/>
>      <Handler type="Session" Location="/Session" showAttributeValues="false"/>
>      <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
> Session initiation happens as I expect using a browser and
> ECP works as well.
> I also have this<ApplicationOverride>  defined:
> <ApplicationOverride id="wiki">
>    <Sessions lifetime="86400" timeout="86400" handlerURL="/wiki/Shibboleth.sso" checkAddress="false"
>      relayState="ss:mem" relayStateLimit="exact" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html" cookieProps="; path=/; secure" />
> </ApplicationOverride>
> Session initiation when using a web browser happens as I
> expect (content protection in the Apache httpd configuration
> includes 'ShibRequestSetting applicationId wiki').
> I cannot, however, use the same ECP client to initiate a
> session when attempting to retrieve the same URL that the
> browser retrieves. The SP returns a 302 redirect instead of
> the expected SOAP packet.
> My reading of
> led me to believe that I did not have to define inside of the
> <Sessions>  element inside of<ApplicationOverride>  any
> <SessionInitiator>  or other child elements because they would
> be inherited from the default<ApplicationDefaults>  element.
> What mistake have I made so that I cannot leverage ECP for
> the<ApplicationOverride>?
> Thanks,
> Scott K
> --
> To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7430 bytes
Desc: S/MIME Cryptographic Signature
Url : 

More information about the users mailing list