IdP/SP connection

enache alex alex_e_fii at yahoo.com
Fri Jan 20 10:32:57 GMT 2012 

I'm having trouble figuring out how exactly does the IdP know to which end point to send the assertion. For example, the IdP receives an AuthnRequest and it must issue the assertion. But how does the IdP chooses to which end point of the SP to send that assertion? Some configuration excerpts would be great.

Here's the AuthnRequest the IdP receives:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://machine:8080/appName/ConsumeSAML20Response" ID="_45b9055d-3813-4b10-9ca6-abc38d269e99" IssueInstant="2012-01-19T16:22:44" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://machine</saml:Issuer>
   <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
   <samlp:RequestedAuthnContext Comparison="exact"/>
   <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:AuthnRequest>
and here's the log:

WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:287] - No metadata for relying party http://machine, treating party as anonymous
WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:199] - SAML 2 SSO profile is not configured for relying party http://machine
DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:323] - LoginContext key cookie was not present in request
DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No relying party, nothing to display

The relying-party.xml file contains this:
    <rp:AnonymousRelyingParty provider="https://machine/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"/>
    <rp:DefaultRelyingParty provider="https://machine/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" 
        defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol">

I have made the message contain the Issuer for the authentication request be http://machine/idp/shibboleth but it returns the same.

Any help with this would be greatly appreciated.


Thanks,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120120/a62dec08/attachment.html

More information about the users mailing list