(Slightly) different assertions generated for WEB and ACTIVE clients

Glenn Wearen glenn.wearen at heanet.ie
Thu Apr 18 12:00:06 EDT 2013


Maybe somebody can spot an important difference in two responses being sent to Office365, web browser access is working, Outlook client is not.

I have the same policy set in relying-party.xml for the ECP profile and SSO profileconfigurations

If somebody could post a working SOAP response for Office365 that would help a lot

<rp:RelyingParty id="urn:federation:MicrosoftOnline" provider="https://idp.your.edu.ie/idp/shibboleth" defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                          signAssertions="conditional"
                          encryptAssertions="never"
                          encryptNameIds="never" />
<rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile"                                                           
                          signAssertions="conditional"                  
                          encryptAssertions="never"                  
                          encryptNameIds="never"/>
</rp:RelyingParty>

I've highlighted differences in bold text (apologies in advance to the plain text advocates)
====ACTVE=====
<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
   <soap11:Header>
      <ecp:Response xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" AssertionConsumerServiceURL="https://login.microsoftonline.com/login.srf" soap11:actor="http://schemas.xmlsoap.org/soap/actor/next" soap11:mustUnderstand="1"/>
   </soap11:Header>
   <soap11:Body>
      <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://login.microsoftonline.com/login.srf" ID="_7326a1752a021f722d529a0e755965d7" InResponseTo="_9a1e870f-e814-4e2c-8cb4-d48c7028248b" IssueInstant="2013-04-18T15:42:37.411Z" Version="2.0">
         <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.your.edu.ie/idp/shibboleth</saml2:Issuer>
         <saml2p:Status>
            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
         </saml2p:Status>
         <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e072ac1e519073781fe4bf1fe5b31c9f" IssueInstant="2013-04-18T15:42:37.411Z" Version="2.0">
            <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.your.edu.ie/idp/shibboleth</saml2:Issuer>
            <saml2:Subject>
               <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.your.edu.ie/idp/shibboleth">g+WdVgjft0eVkOFHXhG+kQ==</saml2:NameID>
               <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                  <saml2:SubjectConfirmationData Address="157.56.254.245" InResponseTo="_9a1e870f-e814-4e2c-8cb4-d48c7028248b" NotOnOrAfter="2013-04-18T15:47:37.411Z" Recipient="https://login.microsoftonline.com/login.srf"/>
               </saml2:SubjectConfirmation>
            </saml2:Subject>
            <saml2:Conditions NotBefore="2013-04-18T15:42:37.411Z" NotOnOrAfter="2013-04-18T15:47:37.411Z">
               <saml2:AudienceRestriction>
                  <saml2:Audience>urn:federation:MicrosoftOnline</saml2:Audience>
               </saml2:AudienceRestriction>
            </saml2:Conditions>
            <saml2:AuthnStatement AuthnInstant="2013-04-18T15:42:37.404Z">
               <saml2:SubjectLocality Address="157.56.254.245"/>
               <saml2:AuthnContext>
                  <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
               </saml2:AuthnContext>
            </saml2:AuthnStatement>
            <saml2:AttributeStatement>
               <saml2:Attribute FriendlyName="UserId" Name="IDPEmail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                  <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">gwearen at your.edu.ie</saml2:AttributeValue>
               </saml2:Attribute>
            </saml2:AttributeStatement>
         </saml2:Assertion>
      </saml2p:Response>
   </soap11:Body>
</soap11:Envelope>

=====WEB=====
<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://login.microsoftonline.com/login.srf" ID="_70619cfaf16e0616d58bb240af58b278" InResponseTo="_f00d78f6-f6dd-4d5f-89f4-4939234ff219" IssueInstant="2013-04-18T15:16:02.061Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.your.edu.ie/idp/shibboleth</saml2:Issuer>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_dc1fd0f58ee0c67d1eb095f49e13baf0" IssueInstant="2013-04-18T15:16:02.061Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.your.edu.ie/idp/shibboleth</saml2:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#_dc1fd0f58ee0c67d1eb095f49e13baf0">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                     <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
                  </ds:Transform>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>pHH...qqao=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
	<ds:SignatureValue>Zwx1Qc...6B8yA==</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>MIIDKD...H42qzeMe5
78899UPKiiVsBYRQuA8=</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.your.edu.ie/idp/shibboleth" SPNameQualifier="urn:federation:MicrosoftOnline">g+WdVgjft0eVkOFHXhG+kQ==</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData Address="193.1.228.190" InResponseTo="_f00d78f6-f6dd-4d5f-89f4-4939234ff219" NotOnOrAfter="2013-04-18T15:21:02.061Z" Recipient="https://login.microsoftonline.com/login.srf"/>
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2013-04-18T15:16:02.061Z" NotOnOrAfter="2013-04-18T15:21:02.061Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>urn:federation:MicrosoftOnline</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2013-04-18T15:16:01.919Z" SessionIndex="18c9e893a4dbddd671782dc926ead4fcb3fb50111cf1b0cdb3464ae83d6d58ee">
         <saml2:SubjectLocality Address="193.1.228.190"/>
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
      <saml2:AttributeStatement>
         <saml2:Attribute FriendlyName="UserId" Name="IDPEmail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">gwearen at your.edu.ie</saml2:AttributeValue>
         </saml2:Attribute>
      </saml2:AttributeStatement>
   </saml2:Assertion>
</saml2p:Response>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130418/9b3621c6/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2330 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130418/9b3621c6/attachment-0001.bin 


More information about the users mailing list