ApplicationOverride and ECP
Eric Dalquist
eric.dalquist at doit.wisc.edu
Tue Nov 29 17:10:36 GMT 2011
I think this may be the same issue that we were looking into with
ScottC's help. I'm out of the office until mid-december so I can't test
much more but if you look in the archives around 11/15 for a thread
titled "Re: Delegated Auth with" there is a .cpp file that I was trying
to add more debugging to (with no success as I have little C++
background and my logging was causing segfaults). Scott's guess at that
point was that the ECP flag was not getting set correctly for app
override blocks.
-Eric
On 11/29/11 9:02 AM, Scott Koranda wrote:
> Hello,
>
> I am working with SP version 2.4.3.
>
> Inside of<ApplicationDefaults> I have the following
> <Sessions> element defined:
>
> <Sessions lifetime="600" timeout="600" checkAddress="false" relayState="ss:mem"
> relayStateLimit="exact" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html"
> cookieProps="; path=/; secure">
>
> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
> entityID="https://my.idp.server/idp/shibboleth">
> <SessionInitiator type="SAML2" acsIndex="3" ECP="true" />
> <SessionInitiator type="SAML2" ECP="true" template="bindingTemplate.html" />
> </SessionInitiator>
>
> <LogoutInitiator type="Chaining" Location="/Logout">
> <LogoutInitiator type="Local" />
> </LogoutInitiator>
>
> <md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
> <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
> <md:AssertionConsumerService Location="/SAML2/Artifact" index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
> <md:AssertionConsumerService Location="/SAML2/ECP" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
>
> <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
>
> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
>
> <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
>
> <Handler type="Session" Location="/Session" showAttributeValues="false"/>
>
> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
>
> Session initiation happens as I expect using a browser and
> ECP works as well.
>
> I also have this<ApplicationOverride> defined:
>
> <ApplicationOverride id="wiki">
> <Sessions lifetime="86400" timeout="86400" handlerURL="/wiki/Shibboleth.sso" checkAddress="false"
> relayState="ss:mem" relayStateLimit="exact" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html" cookieProps="; path=/; secure" />
> </ApplicationOverride>
>
> Session initiation when using a web browser happens as I
> expect (content protection in the Apache httpd configuration
> includes 'ShibRequestSetting applicationId wiki').
>
> I cannot, however, use the same ECP client to initiate a
> session when attempting to retrieve the same URL that the
> browser retrieves. The SP returns a 302 redirect instead of
> the expected SOAP packet.
>
> My reading of
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride#NativeSPApplicationOverride-InheritanceRules
>
> led me to believe that I did not have to define inside of the
> <Sessions> element inside of<ApplicationOverride> any
> <SessionInitiator> or other child elements because they would
> be inherited from the default<ApplicationDefaults> element.
>
> What mistake have I made so that I cannot leverage ECP for
> the<ApplicationOverride>?
>
> Thanks,
>
> Scott K
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7430 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20111129/0fd164e2/attachment-0001.bin
More information about the users
mailing list