Make IdP omit inResponseTo

Nanda Kumar NKK at FISCHERINTERNATIONAL.COM
Wed Jan 25 13:41:27 GMT 2012 

What is the format of the request expected for the unsolicited sso over SAML 2?
I tried sending in the base 64 encoded DEFLATE compressed request to the  /idp/profile/SAML2/Unsolicited/SSO end point, 
It did not work.

Nanda  

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Brent Putman
Sent: Tuesday, January 24, 2012 3:36 PM
To: users at shibboleth.net
Subject: Re: Make IdP omit inResponseTo

Support for unsolicited SSO over SAML 2 was added to the IdP 2.x in some recent version.  I think this is what you are looking for:

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO




On 1/24/12 3:23 PM, Nanda Kumar wrote:
> Using the shibboleth sso protocol with saml 2, how can the Idp be made to omit the inResponseTo from the response?
> 
> -----Original Message-----
> From: users-bounces at shibboleth.net 
> [mailto:users-bounces at shibboleth.net] On Behalf Of Chad La Joie
> Sent: Tuesday, January 24, 2012 3:18 PM
> To: Shib Users
> Subject: Re: Make IdP omit inResponseTo
> 
> I don't know what "it" is, but the documentation for using the Shibboleth SSO requests for SAML are documented with the rest of the IdP documentation.
> 
> On Tue, Jan 24, 2012 at 14:48, Nanda Kumar <NKK at fischerinternational.com> wrote:
>> How can I get it to work using the shibboleth sso protocol with saml 2?
>>
>> -----Original Message-----
>> From: users-bounces at shibboleth.net
>> [mailto:users-bounces at shibboleth.net] On Behalf Of Chad La Joie
>> Sent: Tuesday, January 24, 2012 2:42 PM
>> To: Shib Users
>> Subject: Re: Make IdP omit inResponseTo
>>
>> SIDP-461 is discussing the use of the Shibboleth SSO protocol with SAML 2 (previously it only worked for SAML 1).  If you're dealing with a <samlp:AuthnRequest> then you're not dealing with the Shibboleth SSO protocol.  So, you're dealing with the SAML messages then you need to follow the SAML spec.
>>
>> On Tue, Jan 24, 2012 at 14:34, Nanda Kumar <NKK at fischerinternational.com> wrote:
>>> SIDP-461 states
>>>
>>> "Finally, the whole point of this exercise is to signal that the IdP should omit InResponseTo. We can't do this by the absence of a messageID, because the replay support we added to 2.2.1 mocks up a messageID for legacy protocol requests. Chad suggested using a profile handler option, but I would rather that deployers didn't have to turn this off for all responses from the profile handler, mainly because the SP at some point might start enforcing the InResponseTo check."
>>>
>>> The intention of this fix as I understand is to selectively send inResponseTo.  How can the Idp be made to omit InResponseTo?
>>>
>>> Nanda
>>>
>>> -----Original Message-----
>>> From: users-bounces at shibboleth.net
>>> [mailto:users-bounces at shibboleth.net] On Behalf Of Chad La Joie
>>> Sent: Tuesday, January 24, 2012 2:25 PM
>>> To: Shib Users
>>> Subject: Re: Make IdP omit inResponseTo
>>>
>>> If the incoming request contains a request ID the IdP is required to send it back.  There is no way to disable that.
>>>
>>> On Tue, Jan 24, 2012 at 14:17, Nanda Kumar <NKK at fischerinternational.com> wrote:
>>>> Hello,
>>>>
>>>>     In an Idp Initiated sso scenario, how can I make the IdP to 
>>>> omit inResponseTo?
>>>>
>>>> I have seen SIDP-461,  but couldn't figure out how to make the IdP 
>>>> set the unsolicited flag.
>>>>
>>>> Is that controlled by setting an attribute to the 
>>>> samlp:AuthnRequest xml element?
>>>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>> Nanda
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list send an email to 
>>>> users-unsubscribe at shibboleth.net
>>>
>>>
>>>
>>> --
>>> Chad La Joie
>>> www.itumi.biz
>>> trusted identities, delivered
>>> --
>>> To unsubscribe from this list send an email to 
>>> users-unsubscribe at shibboleth.net
>>> --
>>> To unsubscribe from this list send an email to 
>>> users-unsubscribe at shibboleth.net
>>
>>
>>
>> --
>> Chad La Joie
>> www.itumi.biz
>> trusted identities, delivered
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
> 
> 
> 
> --
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list