Unable to establish security of incoming assertion.
Sangeet Mehta (UST, IND)
Sangeet.Mehta at ust-global.com
Tue Sep 13 04:56:22 BST 2011
Yes. IDP also needs to know about SP. Typically you'd put this
information in the conf files of IDP located at
"IDP_HOME/conf/relying-party.xml"
Here is what I have in the relying-party.xml
<rp:AnonymousRelyingParty
provider="https://my.domain.com:8443/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"
/>
<rp:DefaultRelyingParty
provider="https://my.domain.com:8443/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"/>
<!--
Each attribute in these profiles configuration is set to its
default value,
that is, the values that would be in effect if those
attributes were not present.
We list them here so that people are aware of them (since
they seem reluctant to
read the documentation).
-->
<rp:RelyingParty id="https://my.domain.com/shibboleth"
provider="https://my.domain.com:8443/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:Pass
wordProtectedTransport">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="PT5M"
assertionProxyCount="0"
signResponses="always"
signAssertions="always"
encryptAssertions="never"
encryptNameIds="never" />
</rp:RelyingParty>
<metadata:MetadataProvider id="SPMetaData"
xsi:type="metadata:ResourceBackedMetadataProvider">
<metadata:MetadataResource
xsi:type="resource:FilesystemResource"
file="IDP_HOME/metadata/SP-metadata.xml" />
</metadata:MetadataProvider>
You specify the SP as a relying-party and also point the SP's metadata
from a locally stored file. In my example I am only using the SAML2SSO
profile. The default relying-party.xml comes with other profiles too.
Thanks
sangeet
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
On Behalf Of Pavan K
Sent: Tuesday, September 13, 2011 5:59 AM
To: Shib Users
Subject: Re: Unable to establish security of incoming assertion.
Thank you Sangeet. Do we need to specify SP entityID anywhere in IDP
metadata? I used the same configuration as you mentioned but didn't
work.
--Pavan
On Wed, Sep 7, 2011 at 4:57 AM, Sangeet Mehta (UST, IND)
<Sangeet.Mehta at ust-global.com> wrote:
Pavan,
In my case for the shibboleth2.xml
SP is specified in
<ApplicationDefaults entityID="https://my.domain.com/shibboleth"
attributePrefix="AJP_">
IDP is specified in
<SSO entityID="https://my.domain.com:8443/idp/shibboleth"> SAML2 SAML1
</SSO>
Thanks
sangeet
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
On Behalf Of Pavan K
Sent: Wednesday, September 07, 2011 6:13 AM
To: Shib Users
Subject: Re: Unable to establish security of incoming assertion.
Thank you Nate.
IDP's metadata has successfully loaded into SP. I found the related
messages in "shibd.log". And "entity ID in IDP's metadata is
"https://<machineA>:8443/idp/shibboleth". Is there any specific
restrcition on "entityId" of "<ApplicationDefaults>" in
"shibboleth2.xml" file in SP?
Thanks,
Pavan
On Tue, Sep 6, 2011 at 5:36 PM, Nate Klingenstein <ndk at internet2.edu>
wrote:
Pavan,
You need to ensure that your SP is loading your IdP's metadata, and that
the EntityDescriptor entityID in your IdP's metadata is
https://<machineA>:8443/idp/shibboleth. You may find a problem related
to failure to load the metadata during startup of your SP.
Hope this helps,
Nate.
On Sep 7, 2011, at 0:27 , Pavan K wrote:
Do we need to load the SP metadata on IDP? Is there any configuration i
am missing?
--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110912/4aeaae2a/attachment-0001.html
More information about the users
mailing list