still a few issues with login script to shibboleth identity server

Cantor, Scott cantor.2 at osu.edu
Tue Oct 9 11:42:57 EDT 2012


On 10/9/12 11:35 AM, "Joseph Norris" <jozefn at sonic.net> wrote:

>Thanks for the reply Scott
>
>The company I am working for has decided to not run an SP - the just
>need their product to allow single signon for the company that is
>running an SP.  Don't mind the work - so what are the different set of
>issues?

You would need to go read the SAML standard, you cannot implement an SP by
reverse engineering messages and have much hope of getting it right.

As Paul said, there's a list at OASIS (saml-dev) that people like me are
on and we can answer general spec questions, but you can't expect to get
them without reading the standard first.

If you're trying to implement SSO, then the general guide would be:

- skim the core spec for terminology and structure
- read the SSO profile
- refer to the binding spec for the particular binding(s) you're trying to
support for message syntax (Redirect and POST mainly)
- go back and read core to get a full picture, esp. the assertion sections
and the Authentication Request protocol

And that doesn't include the XML Signature and possibly Encryption parts,
which you will almost certainly not get right if you do them yourself. And
it doesn't include the metadata portion, which is how you can automate
provisioning of trust between systems.

If that sounds like a lot, then you're starting to understand why this is
a bad idea.

-- Scott




More information about the users mailing list