SSO Implementation
Raz's
gajula.rajashekhar at gmail.com
Thu Nov 1 05:19:39 EDT 2012
Hi Nate,
No progress after modification of the metadata as per your specification
and also when i'm trying to access the *test.mydomain.net* then *
dev.mydomain.net* is showing @ *testshib.org* idp logon page after
successful authencation same error message am getting and also sessions are
created for *dev.mydomain.net* not for the *test.mydomain.net *on *
testshib.org*.
I have doubt about the SP metadata configuration, is it mandatory to
mention end point to all sub domain which is configure on IDP same like
your specification. Here we are getting the SP metadata based on the sub
domains for example: https://dev.mydomain.net/Shibboleth.sso/Metadata
i think you understand my scenario, here we going to provide the SP
implementation based on the sub domains with unique IDP for each sub domain
and also sessions and logout configuration may vary from each sub domain.
Thanks,
Raja.
On Thu, Nov 1, 2012 at 5:49 AM, Nate Klingenstein <ndk at internet2.edu> wrote:
> Raja,
>
> You need both domains listed.
>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> http://test.mydomain.net/Shibboleth.sso/SAML2/POST" index="0"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> http://dev.mydomain.net/Shibboleth.sso/SAML2/POST" index="6"/>
>
> Thanks,
> Nate.
>
> On 1 Nov 2012, at 00:10, "Raz's" <gajula.rajashekhar at gmail.com> wrote:
>
> Thanks a lot Nate,
>
> End points nothing but AssertionConsumerService correct, They are present
> in my metadata which was uploaded to the testshib.org IDP, one more thing
> if i interchange the places for dev and test then test will work and dev
> will not works (now dev.mydomain.net will gets the error message like
> previous)
>
> Here the exact metadata of Test.Mydomain.net <http://test.mydomain.net/>.
>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> ID="_d27fc6cfbb1c99cb5eb6a848d6b2a385cacb7bf9" entityID="
> https://test.mydomain.net/shibboleth">
>
> <md:SPSSODescriptor
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol
> urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
> <md:Extensions>
> <init:RequestInitiator
> xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
> Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="
> http://test.mydomain.net/Shibboleth.sso/Login"/>
> </md:Extensions>
> <md:KeyDescriptor>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:KeyName>ths-multitenant.ths.local</ds:KeyName>
> <ds:X509Data>
>
> <ds:X509SubjectName>CN=ths-multitenant.ths.local</ds:X509SubjectName>
> <ds:X509Certificate> encoded one
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </md:KeyDescriptor>
> <md:ArtifactResolutionService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
> http://test.mydomain.net/Shibboleth.sso/Artifact/SOAP" index="0"/>
> <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="
> http://test.mydomain.net/Shibboleth.sso/SLO/SOAP"/>
> <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="
> http://test.mydomain.net/Shibboleth.sso/SLO/Redirect"/>
> <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> http://test.mydomain.net/Shibboleth.sso/SLO/POST"/>
> <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="
> http://test.mydomain.net/Shibboleth.sso/SLO/Artifact"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
> http://test.mydomain.net/Shibboleth.sso/SAML2/POST" index="0"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
> Location="http://test.mydomain.net/Shibboleth.sso/SAML2/POST-SimpleSign"
> index="1"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="
> http://test.mydomain.net/Shibboleth.sso/SAML2/Artifact" index="2"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="
> http://test.mydomain.net/Shibboleth.sso/SAML2/ECP" index="3"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="
> http://test.mydomain.net/Shibboleth.sso/SAML/POST" index="4"/>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="
> http://test.mydomain.net/Shibboleth.sso/SAML/Artifact" index="5"/>
> </md:SPSSODescriptor>
>
> </md:EntityDescriptor>
>
> -Raja
>
>
> On Thu, Nov 1, 2012 at 4:52 AM, Nate Klingenstein <ndk at internet2.edu>wrote:
>
>> Raja,
>>
>> The metadata that you uploaded to TestShib probably doesn't have
>> endpoints listed for the domain test.mydomain.net. You'll need to
>> ensure that there are AssertionConsumerService URL's for both hosts.
>>
>> https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP
>>
>> Thanks,
>> Nate.
>>
>> On 31 Oct 2012, at 23:08, "Raz's" <gajula.rajashekhar at gmail.com> wrote:
>>
>> Hi Nate,
>>
>> When i configured SP as follows
>>
>> <Site id="1" name="sp.mydomain.net">
>> <Alias>dev.mydomain.net</Alias>
>> <Alias>test.mydomain.net</Alias>
>> </Site>
>>
>> <RequestMapper type="Native">
>> <RequestMap applicationId="default">
>> <Host name="dev.mydomain.net">
>> <Path name="protected" authType="shibboleth"
>> requireSession="true"/>
>> </Host>
>> <Host name="test.mydomain.net" entityID="
>> https://idp.testshib.org/idp/shibboleth">
>> <Path name="protected" authType="shibboleth"
>> requireSession="true"/>
>> </Host>
>> </RequestMap>
>> </RequestMapper>
>>
>> <ApplicationDefaults entityID="
>> https://dev.mydomain.net/shibboleth" REMOTE_USER="eppn">
>>
>> <Sessions lifetime="28800" timeout="3600" checkAddress="true"
>> consistentAddress="true" relayState="ss:mem" handlerSSL="false">
>> <SSO entityID="https://idp.testshib.org/idp/shibboleth">
>> SAML2 SAML1
>> </SSO>
>>
>> <Logout>SAML2 Local</Logout>
>>
>> <Handler type="MetadataGenerator" Location="/Metadata"
>> signing="false"/>
>> <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
>> <Handler type="Session" Location="/Session"
>> showAttributeValues="true"/>
>> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
>>
>> </Sessions>
>>
>> <Errors supportContact="root at localhost"
>> logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
>>
>> <MetadataProvider type="XML" uri="
>> http://www.testshib.org/metadata/testshib-providers.xml"
>> backingFilePath="testshib-two-idp-metadata.xml"
>> reloadInterval="180000" />
>>
>> <AttributeExtractor type="XML" validate="true"
>> path="attribute-map.xml"/>
>> <AttributeResolver type="Query" subjectMatch="true"/>
>> <AttributeFilter type="XML" validate="true"
>> path="attribute-policy.xml"/>
>>
>> <CredentialResolver type="File" key="sp-key.pem"
>> certificate="sp-cert.pem"/>
>>
>> </ApplicationDefaults>
>>
>> then i'm getting the error like *Error Message: No peer endpoint
>> available to which to send SAML response*
>> while access the test.mydomain.net but it's working fine with
>> dev.mydomain.net
>>
>> Here test.mydomain.net IDP & sessions, handlers etc different from the
>> dev.
>>
>> -Raja
>>
>> On Wed, Oct 31, 2012 at 12:30 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>
>>> >
>>> >Please help me out in the process of SAML SP implementation for sub
>>> >domains. This implementation little bit tricky here single application
>>> >providing the solutions or our clients using the sub domains so each sub
>>> >domain indicates the individual client and
>>> > also each client had the his own idp and sp but we want to integrate
>>> >their idp into our sp at the same it has to redirect the request to
>>> >respected sub domains (clients) idp. Here Session of each and every sub
>>> >domain (client) should be vary based on the sub
>>> > domain(client) idp.
>>>
>>> I answered this in the original thread you raised it in. If you want to
>>> specify the IdP based on the vhost, you add an entityID property naming
>>> the IdP in the RequestMap in a <Host> element for the given vhost. That's
>>> it. You don't need overrides.
>>>
>>>
>> If you need to add restrictions to limit which IdP's users are able to
>>> access the vhosts, then there are various ways to achieve that, or it can
>>> be done entirely inside the application. Again, you don't need overrides
>>> for that.
>>>
>>> -- Scott
>>>
>>>
>>> --
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
>>>
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>>
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121101/8b575e7f/attachment-0001.html
More information about the users
mailing list