Problem configuring and IdP to support anonymous relying parties
Jon Warbrick
jw35 at cam.ac.uk
Fri Sep 9 12:00:45 BST 2011
On Thu, 1 Sep 2011, Chad La Joie wrote:
> On Sep 1, 2011, at 1:10 PM, Cantor, Scott wrote:
>
>> On 9/1/11 1:05 PM, "Jon Warbrick" <jw35 at cam.ac.uk> wrote:
>>>
>>> I've added the various <ProfileConfiguration> elements to the
>>> <AnonymousRelyingParty> section of relying-party.xml, and that seems to
>>> be
>>> sufficient to allow an authentication request to proceed, but a
>>> subsequent
>>> attribute request fails with "Authentication via client certificate
>>> failed
>>> for context presenter entity ID ...", followed by "Message did not meet
>>> security requirements". This isn't entirely surprising, since the SP is
>>> using a self-signed certificate and, without metadata, the IdP has no way
>>> to validate it, but it's not what I want. What am I not doing to also
>>> allow attribute queries from anonymous SPs?
>>
>> Possible guess...define a custom security policy and link that to the
>> profile handler in the Anonymous block?
>
> Yes, that's what you'd have to do.
OK, thanks. But I must be missing something...
I can see the existing <SecurityPolicy> blocks and I think I can see how
to create modified versions of those for
id=shibboleth.SAML1AttributeQuerySecurityPolicy and
id=shibboleth.SAML1ArtifactResolutionSecurityPolicy that will do what I
want.
But I can't see how to link these back to the profile handlers in the
<AnonymousRelyingParty> block. According to both the wiki and the default
config file, neither the <AnonymousRelyingParty> nor
<ProfileConfiguration> blocks seem to contain anything that references a
<SecurityPolicy> (indeed, I can't even see how the various default
<SecurityPolicy>s are linked to their corresponding profile handlers
unless by implicit, invisible rules).
Please, what am I missing?
Jon.
--
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge
More information about the users
mailing list