CAS Shib issues

Nate Klingenstein ndk at internet2.edu
Fri Sep 16 19:13:08 BST 2011 

Terry,

For standard Shibboleth rather than CASShib, the endpoint as described  
in the metadata would be correct.  The first one, in the request as  
generated by Shibboleth for CASShib I presume, may or may not be  
correct -- it's not our code nor our product.  From a quick glance at  
their guide at:

http://code.google.com/p/casshib/wiki/ShibbolethApacheTomcatInstallationAndConfigurationForCASShib

It would be the special Sessions element handlerURL described there  
that is causing the mismatch.

I don't have the spare cycles at this very moment to investigate how  
CASShib works in more detail, but you can try modifying the SP  
metadata as loaded by the IdP so that the AssertionConsumerService  
Location attribute matches that in the AuthnRequest, e.g. https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST 
.

             <AssertionConsumerService index="1" isDefault="true"
                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP- 
POST"
                 Location="https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST 
"/>

That will resolve the immediate complaint of the IdP.  You may  
encounter other issues.  If they're primarily related to CASShib, then  
you might try their mailing list at:

http://groups.google.com/group/casshib

How I wish I was in Sherbrooke now,
Nate.

On Sep 16, 2011, at 17:51 , Terry Soucy wrote:

> Heya,
>
> We just installed our first IdP (latest version) and SP (again, latest
> version in the yum repository) and are having some issues with the
> CASShib module.  We are able to auth to the IdP without error with
> apache, but once we put CASShib into the mix, we get errors.
>
> The assertion is telling the IdP that the endpoint is
> https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST 
> ,
> but the metadata says that the ACS is
> https://myunbtest.its.unb.ca/Shibboleth.sso/SAML2/POST.  We tried
> modifying the handlerURL on the SP, but that doesn't update the  
> metadata
> information.  What are we missing?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110916/b9b15279/attachment.html

More information about the users mailing list