IdP initiated SSO

Mike Flynn shibbolethlynda at yahoo.com
Thu Feb 7 12:47:28 EST 2013 

I have a private fed trying to integrate to my Shib system.  They are running Oracle as the IdP and claim they cannot support SP initiated SSO.  All of the Idps that I integrate with all use SP initiated.  I assume that all they should need to do is POST an assertion to my endpoint here:

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://shib.lynda.com/Shibboleth.sso/SAML2/POST" index="1"/>


They do that and get a 500 error on my servers and my logs show nothing.  The assertion they sent is this:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://shib.lynda.com/Shibboleth.sso/SAML2/POST" ID="uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45" InResponseTo="" IssueInstant="2013-02-07T17:05:41Z"Version="2.0">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>C1fVRAnlLEWmsWgb4wKTpEEh84s=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
NRfFI3Aj4B8Erl2UFFToEyHhd3CCOXKhklIALutt+3MzuZR5H33uU2G4DpQCGlpHv+uTe2ejwiz+CUbP1CcsP0+U4KXMevp+60XS7HDW240fayX7sNpvipdW4ZCkTC387VNDPk3G2H6dNpkiosvkfLQc1aBQfjADgh/NWcBRvf/79ht2TSMm/ccl2VL8HngRBEkRRz146uW4XqLuzWWlWctv3GF//I6kqumLBuirUS9E39YxUopiPgqU5zpBp1vZWPiVUi5sYQ9nYZMz+ZfxW9trd1rcVPudsOaQzSHHiLz7FkH6KVywuzRC18KzaHQW0ljhVPbm3oZxNW8JyNrcqg==
</SignatureValue>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-1323F186-A065-4588-B5C4-37B12E3BEC95" IssueInstant="2013-02-07T17:05:41Z" Version="2.0">
<saml:Issuer>http://sapient.learn.com</saml:Issuer>
<saml:Subject>
<saml:NameID>LEARNSUPPORT</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="2013-02-07T17:04:41Z" NotOnOrAfter="2013-02-07T17:10:41Z">
<saml:AudienceRestriction/>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-02-07T17:05:41Z" SessionNotOnOrAfter="">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eppn">
<saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.3" FriendlyName="uid">
<saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.4" FriendlyName="sn">
<saml:AttributeValue>Support</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.7" FriendlyName="l">
<saml:AttributeValue/>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.42" FriendlyName="givenName">
<saml:AttributeValue>Learn</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail">
<saml:AttributeValue>CJohnson at Taleo.Com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.101" FriendlyName="C">
<saml:AttributeValue/>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.102" FriendlyName="UO">
<saml:AttributeValue/>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.103" FriendlyName="Department">
<saml:AttributeValue/>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

Are my assumptions correct regarding POST to my endpoint as detailed above?  Can anyone see an issue regarding the data in the assertion above?  They asked about RelayState but that is only valid for SP initiated, correct?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130207/4d64b3fb/attachment-0001.html

More information about the users mailing list