CAS Shib issues

Nate Klingenstein ndk at internet2.edu
Fri Sep 16 19:22:34 BST 2011 

I should add that this falls into the category of non-trivial  
deployment, and as such, you'll have to maintain a metadata file that  
describes the SP yourself and not rely on the built-in generator, if  
you were using that.  You can certainly use what the generator spits  
out as a starting point, and you shouldn't need to change more than  
the AssertionConsumerService Location I referenced in the first  
email.  Host it anywhere, or load it as a file.

On Sep 16, 2011, at 18:13 , Nate Klingenstein wrote:

> Terry,
>
> For standard Shibboleth rather than CASShib, the endpoint as  
> described in the metadata would be correct.  The first one, in the  
> request as generated by Shibboleth for CASShib I presume, may or may  
> not be correct -- it's not our code nor our product.  From a quick  
> glance at their guide at:
>
> http://code.google.com/p/casshib/wiki/ShibbolethApacheTomcatInstallationAndConfigurationForCASShib
>
> It would be the special Sessions element handlerURL described there  
> that is causing the mismatch.
>
> I don't have the spare cycles at this very moment to investigate how  
> CASShib works in more detail, but you can try modifying the SP  
> metadata as loaded by the IdP so that the AssertionConsumerService  
> Location attribute matches that in the AuthnRequest, e.g. https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST 
> .
>
>             <AssertionConsumerService index="1" isDefault="true"
>                 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 
> "
>                 Location="https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST 
> "/>
>
> That will resolve the immediate complaint of the IdP.  You may  
> encounter other issues.  If they're primarily related to CASShib,  
> then you might try their mailing list at:
>
> http://groups.google.com/group/casshib
>
> How I wish I was in Sherbrooke now,
> Nate.
>
> On Sep 16, 2011, at 17:51 , Terry Soucy wrote:
>
>> Heya,
>>
>> We just installed our first IdP (latest version) and SP (again,  
>> latest
>> version in the yum repository) and are having some issues with the
>> CASShib module.  We are able to auth to the IdP without error with
>> apache, but once we put CASShib into the mix, we get errors.
>>
>> The assertion is telling the IdP that the endpoint is
>> https://myunbtest.its.unb.ca/casshib/shib/myunb/Shibboleth.sso/SAML2/POST 
>> ,
>> but the metadata says that the ACS is
>> https://myunbtest.its.unb.ca/Shibboleth.sso/SAML2/POST.  We tried
>> modifying the handlerURL on the SP, but that doesn't update the  
>> metadata
>> information.  What are we missing?
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110916/1a9e228a/attachment.html

More information about the users mailing list