IIS and new Service Provider v2.5

Cantor, Scott cantor.2 at osu.edu
Tue Nov 6 13:13:18 EST 2012

On 11/6/12 11:34 AM, "Martin B. Smith" <smithmb at ufl.edu> wrote:
>As a follow up, someone over here has pointed out that service providers
>may have defined in an attribute map:
>  <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>

They would have to have something mapped to "st", yes. It won't try and
"defend" any headers it doesn't think it's responsible for, so at a
minimum, that's the workaround.

>So perhaps there's some common application or IIS header also called st?

I suspect it's happening because of a tail match of something that ends in
"st". What I would note is that I think they have safeHeaderNames turned
off. That results in some slightly different logic for checking the names
and is probably where the tail matching problem is showing up.

Since the vast majority of IIS sites should have that option on unless
they have a good reason, that's probably why it hasn't shown up very often.

>Even if we're not releasing anything called st, this potentially breaks
>most AD-joined IIS servers with Shibboleth, *if* this is coming from a
>standard AD attribute, and *if* the state attribute is already defined
>in the SP attribute map.


-- Scott

More information about the users mailing list