Salesforce with Shibboleth IdP
Eric Goodman
ericg at ucsc.edu
Mon Jun 11 19:16:54 BST 2012
This is not really answering your direct question, but tangentially we had
this issue with a different vendor.
Our solution was to verify that the vendor's SAML client still verified the
message signature. Knowing the signature was checked, that ssl was being
used on all of the SAML transactions, and that the data being sent was
relatively benign (ePPN in this case) we got the okay to integrate without
encrypted assertions.
--- Eric
On Mon, Jun 11, 2012 at 10:33 AM, Keith Hazelton <hazelton at doit.wisc.edu>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Warren,
>
> So that would leads me to ask Michael Chale--are you dropping Salesforce?
> If not, how are you addressing the conflict about encrypted vs.
> unencrypted?
>
> --Keith
> ________________
> On Jun 11, 2012, at 13:23:55, Curry, Warren wrote:
>
> > Andrew,
> >
> > I guess this response from Mike Chale at UF - College of Business was
> bounced back to him I am forwarding on to the list.. We had issue due to
> required encryption at UF.
> > Warren
> > ==================================.
> >
> > Good afternoon, Andrew
> >
> >
> > We tried to use Shibboleth as an IdP but ran into a few stumbling
> blocks, one of which was a show-stopper - Salesforce cannot handle
> encrypted responses from the IdP and our university's current policy is to
> only provide encrypted responses.
> >
> > If you would like to discuss any further details I would be happy to
> help you out.
> >
> >
> > Michael Chale
> > Solutions Engineer
> > Technology Solutions
> >
> > -----Original Message-----
> > From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
> On Behalf Of Andrew Morgan
> > Sent: Monday, June 11, 2012 12:52 PM
> > To: Shib Users
> > Subject: Re: Salesforce with Shibboleth IdP
> >
> > On Fri, 8 Jun 2012, Peter Schober wrote:
> >
> >> * Andrew Morgan <morgan at orst.edu> [2012-06-07 18:42]:
> >>> Login Error
> >>> Your login attempt using single sign-on with an identity provider
> >>> certificate has failed. Please contact your salesforce.comadministrator
> >>> for more information.
> >>
> >> If all else fails you could try just that?
> >> -peter
> >
> > Unfortunately, my co-worker is the administrator and we are both trying
> to understand what is going wrong! :)
> >
> > We have tried using Salesforce's SAML assertion validator, but that
> doesn't raise any errors. I was hoping someone might have experience with
> Salesforce, or at least have a working Shibboleth-Salesforce setup that I
> could compare against.
> >
> > Thanks,
> > Andy
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQEcBAEBAgAGBQJP1ivXAAoJEPXbVHOlscTvm3MIAMCMEtbX82PVB2XKce1qK3j8
> zRK3q9Hz/9BfFWDScq5sMPFrmMicmhZiq59D+RCAshDOYmT/QpZ+81ciggCRLrlO
> cN8UfpUhQ5cZ4YYAXCrlsI+GY7k3zksIJpPIwDGBnA6mhlHfd0ed91HeY/mIUNnE
> C6zrP9lXiRDrWRWuwXJyYV8lEAUc3YHDzOColZQwZp7PIHZkLeij90lXDC5axrNr
> +LeFPD/YQd3WNJ3dJ9RjDJTuS6wnRfQT3UpwGxuXM+bKNBuS2AS3uHfU9zTehQd4
> 6vXEbkVLhivFjxZPwO2+3qSXBHq7xhi0PrNu1mWixesUPXNyMOQoSvuO7jRNqGc=
> =3tCg
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120611/7c856eab/attachment.html
More information about the users
mailing list