Default SessionInitiator within a Chaining SessionInitiator

Cantor, Scott cantor.2 at osu.edu
Fri Oct 12 10:09:46 EDT 2012


On 10/12/12 7:01 AM, "William Spooner" <william.spooner at eaglegenomics.com>
wrote:
>
>I have a very simple NativeSPSession configuration, with three IdPs in a
>Chaining SessionInitiator. The appropriate IdP is selected by a Cookie
>SessionInitiator;
>
><SessionInitiator type="Chaining" isDefault="true">
>  <SessionInitiator type="Cookie" followMultiple="true" />
>  <SessionInitiator type="SAML2" Location="/Login"
>entityID="https://idp.foo.com/access" defaultACSIndex="1" />
>  <SessionInitiator type="SAML2" Location="/Login"
>entityID="https://idp.bar.org/idp/shibboleth" defaultACSIndex="1" />
>  <SessionInitiator type="SAML2" Location="/Login"
>entityID="http://idp.baz.net/adfs/services/trust" defaultACSIndex="1"/>
></SessionInitiator>

You must have a Location attribute at the outer element, and should not
have one in the inner elements.

Aside from that, you can't do that kind of chain. After the first SAML2
handler with entityID set, the rest would never run. So that won't do
anything useful.

>This works great when the cookie has been set. With an unset cookie,
>however, a call to https://www.myapp.com/Shibboleth.sso/Login  results in
>a "None of the configured SessionInitiators handled the request" error.
>What I can't figure out is how to use the cookie if available, else use a
>'default' entity. Is that possible?

I suspect perhaps they didn't run because the entityID specified in the
first one doesn't have SAML 2 support, but there'd be log information
about it.

-- Scott




More information about the users mailing list