IdP/SP connection

Rod Widdowson rdw at steadingsoftware.com
Fri Jan 20 11:54:19 GMT 2012 

> how exactly does the IdP know to which end point to send the
> assertion

Amongst other things (and primarily) it looks it up in the metadata.  In this case the SP thinks that it is called "http://machine"
(which feels odd to me).  So you either need to teach the Sp what it is really called or you need to make sure that your metadata
feeds includes metadata for this entity.


> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of enache alex
> Sent: 20 January 2012 10:33
> To: users at shibboleth.net
> Subject: IdP/SP connection
> 
> I'm having trouble figuring out how exactly does the IdP know to which end point to send the
> assertion. For example, the IdP receives an AuthnRequest and it must issue the assertion. But how does
> the IdP chooses to which end point of the SP to send that assertion? Some configuration excerpts would
> be great.
> 
> Here's the AuthnRequest the IdP receives:
> <?xml version="1.0" encoding="UTF-8"?>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="http://machine:8080/appName/ConsumeSAML20Response" ID="_45b9055d-3813-
> 4b10-9ca6-abc38d269e99" IssueInstant="2012-01-19T16:22:44"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
>    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://machine</saml:Issuer>
>    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-
> format:transient"/>
>    <samlp:RequestedAuthnContext Comparison="exact"/>
>    <saml:AuthnContextClassRef
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProt
> ectedTransport</saml:AuthnContextClassRef>
> </samlp:AuthnRequest>
> and here's the log:
> 
> WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:287] - No metadata
> for relying party http://machine, treating party as anonymous WARN
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:199] - SAML 2 SSO profile is
> not configured for relying party http://machine DEBUG
> [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:323] - LoginContext key cookie was not
> present in request DEBUG [edu.internet2.middleware.shibboleth.idp.ui.ServiceContactTag:177] - No
> relying party, nothing to display
> 
> The relying-party.xml file contains this:
>     <rp:AnonymousRelyingParty provider="https://machine/idp/shibboleth"
> defaultSigningCredentialRef="IdPCredential"/>
>     <rp:DefaultRelyingParty provider="https://machine/idp/shibboleth"
> defaultSigningCredentialRef="IdPCredential"
>         defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol">
> 
> I have made the message contain the Issuer for the authentication request be
> http://machine/idp/shibboleth but it returns the same.
> 
> Any help with this would be greatly appreciated.
> 
> Thanks,
> Alex

More information about the users mailing list