Shibboleth IDP and ADFS federation claim problem

Renzo De Renzi renzos at me.com
Wed Oct 31 12:05:08 EDT 2012 

Il giorno 09/ott/2012, alle ore 15:59, Cantor, Scott ha scritto:

> On 10/9/12 1:57 AM, "Renzo De Renzi" <renzos at me.com> wrote:
>> 
>> Thanks for your prompt answer, this is my policy taken from
>> attribute-filter-xml file, it already works correctly between Shibboleth
>> IDP and SP on the same machine:
> 
> Those are not SAML attributes, they're internal to the IdP. You have to
> decide if you want to use standard names for them, or ADFS' proprietary
> names. Then you have to change one end or the other.
> 
> -- Scott
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

Hi good evening,
unfortunately after 20 days still no luck, I can't manage to make the Shibboleth IDP - ADFS SP working.
I set up a Claim-aware Web App under VS2010 that correctly runs under the ADFS domain and prints out some claims after the authentication. Now I would like to use the Shibboleth IDP that releases 3 claims, one of which is the givenName. I added the Shibboleth IDP under ADFS 2.0 and set up this rule:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]
=> issue(Type = "urn:oid:2.5.4.42", Value = c.Value, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");

Then I launched the WIF Federation utility Wizard to estabilish the trust relationship between my Web App and the Shibboleth IDP but when I select the STS WS_Federation metadata document location (idp-metadata.xml) I get an ID1018 Error (The WS-Federation metadata document does not contain a security token service descriptor.

Here my idp-metadata.xml file:


<?xml version="1.0" encoding="UTF-8" ?> 
- <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://idp.example.org/shibboleth">
- <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
 <shibmd:Scope regexp="false">example.org</shibmd:Scope> 
 </Extensions>
- <KeyDescriptor>
- <ds:KeyInfo>
- <ds:X509Data>
 <ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUHf2v/KXrNrvx64FbF6ZY9rnHPdAwDQYJKoZIhvcNAQEF BQAwGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMB4XDTEyMDcyNDA4MDUwNFoX DTMyMDcyNDA4MDUwNFowGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmHBXmj+VcDVa5TzcuNRZrRpDF9M5 zJyTHuaC4sjdmPixndC5IyHkk7vLAw22dbwhMry4y1xfX3s8X9+kajRJXJOmQ0rP 4JIcv71ywoLpbrOBnsfiGFWQgNQlOTJJdY7WpOc1f+n3+2Uoi+f4F/IKG8c0jEmg NnwRNFGqK3XlbwCuQMahif+2GHPD7intyJMDr6R67PAOx8AtqxGXCnKP6LmdZofT GZRMrH786PNVCnEn78tguUcMlVVdkYAjF1rqntJOnIeIzsEZowXqSa2keQ7Q/5Jm 47UKjzJFagrE15mkcI/JU5SuDQ1F5hYGhn05fhwhg39sJ4Zv2vvaKUI7kwIDAQAB o2UwYzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeGJmh0dHBzOi8vaWRwLmV4 YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBT+fFTBiudO7jqc62h6 T0wbUfwLVjANBgkqhkiG9w0BAQUFAAOCAQEASC6n3sB/733OI8dD3IfoWLESo1wZ OFz1fGmTOKD2M5+HyVCdpRNvy3tqL1E8Gpnqcrmb4uzIbBa8yFV9wpUFotOz2Frq 9tgFn6XcjLjrTJ7LZE6C7zcf5vyIr2Ke+1zJwxmfPJOo3zS9pdXsug84jokd8NU+ omdo47MrseS8wzKMZU8MDe8cpXFz00pkiPjKram8QGrt7Ut8cV0mzxgPCb6xeWL6 kdNN/qioQP3iV7DIbM5+9d1vlI606hrUTNirqRd3aMlzt4syNwY4+8KFTqgiFont yAY+WrxO9aD9qrB/X/ZoCZO5Snvog31ICafkPBSR0zhm4lYYl1MEqtsWXw==</ds:X509Certificate> 
 </ds:X509Data>
 </ds:KeyInfo>
 </KeyDescriptor>
 <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1" /> 
 <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2" /> 
 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> 
 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> 
 <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.org/idp/profile/Shibboleth/SSO" /> 
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.org/idp/profile/SAML2/POST/SSO" /> 
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.example.org/idp/profile/SAML2/POST-SimpleSign/SSO" /> 
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO" /> 
 </IDPSSODescriptor>
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
 <shibmd:Scope regexp="false">example.org</shibmd:Scope> 
 </Extensions>
- <KeyDescriptor>
- <ds:KeyInfo>
- <ds:X509Data>
 <ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUHf2v/KXrNrvx64FbF6ZY9rnHPdAwDQYJKoZIhvcNAQEF BQAwGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMB4XDTEyMDcyNDA4MDUwNFoX DTMyMDcyNDA4MDUwNFowGjEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmHBXmj+VcDVa5TzcuNRZrRpDF9M5 zJyTHuaC4sjdmPixndC5IyHkk7vLAw22dbwhMry4y1xfX3s8X9+kajRJXJOmQ0rP 4JIcv71ywoLpbrOBnsfiGFWQgNQlOTJJdY7WpOc1f+n3+2Uoi+f4F/IKG8c0jEmg NnwRNFGqK3XlbwCuQMahif+2GHPD7intyJMDr6R67PAOx8AtqxGXCnKP6LmdZofT GZRMrH786PNVCnEn78tguUcMlVVdkYAjF1rqntJOnIeIzsEZowXqSa2keQ7Q/5Jm 47UKjzJFagrE15mkcI/JU5SuDQ1F5hYGhn05fhwhg39sJ4Zv2vvaKUI7kwIDAQAB o2UwYzBCBgNVHREEOzA5gg9pZHAuZXhhbXBsZS5vcmeGJmh0dHBzOi8vaWRwLmV4 YW1wbGUub3JnL2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBT+fFTBiudO7jqc62h6 T0wbUfwLVjANBgkqhkiG9w0BAQUFAAOCAQEASC6n3sB/733OI8dD3IfoWLESo1wZ OFz1fGmTOKD2M5+HyVCdpRNvy3tqL1E8Gpnqcrmb4uzIbBa8yFV9wpUFotOz2Frq 9tgFn6XcjLjrTJ7LZE6C7zcf5vyIr2Ke+1zJwxmfPJOo3zS9pdXsug84jokd8NU+ omdo47MrseS8wzKMZU8MDe8cpXFz00pkiPjKram8QGrt7Ut8cV0mzxgPCb6xeWL6 kdNN/qioQP3iV7DIbM5+9d1vlI606hrUTNirqRd3aMlzt4syNwY4+8KFTqgiFont yAY+WrxO9aD9qrB/X/ZoCZO5Snvog31ICafkPBSR0zhm4lYYl1MEqtsWXw==</ds:X509Certificate> 
 </ds:X509Data>
 </ds:KeyInfo>
 </KeyDescriptor>
 <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery" /> 
 <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery" /> 
 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> 
 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> 
 </AttributeAuthorityDescriptor>
 </EntityDescriptor>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121031/19799131/attachment.html

More information about the users mailing list