IdP initiated SSO
Marc Boorshtein
mboorshtein at gmail.com
Thu Feb 7 12:58:15 EST 2013
What version of OIF are they using? I've done several OIF deployments
and I've never heard of an OIF server that can't do SP initiated when
they're the IdP.Is there a RelayState parameter in the post?
Marc
On Thu, Feb 7, 2013 at 12:47 PM, Mike Flynn <shibbolethlynda at yahoo.com> wrote:
> I have a private fed trying to integrate to my Shib system. They are
> running Oracle as the IdP and claim they cannot support SP initiated SSO.
> All of the Idps that I integrate with all use SP initiated. I assume that
> all they should need to do is POST an assertion to my endpoint here:
>
> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="http://shib.lynda.com/Shibboleth.sso/SAML2/POST" index="1"/>
>
> They do that and get a 500 error on my servers and my logs show nothing.
> The assertion they sent is this:
>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://shib.lynda.com/Shibboleth.sso/SAML2/POST"
> ID="uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45" InResponseTo=""
> IssueInstant="2013-02-07T17:05:41Z"Version="2.0">
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>C1fVRAnlLEWmsWgb4wKTpEEh84s=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>
> NRfFI3Aj4B8Erl2UFFToEyHhd3CCOXKhklIALutt+3MzuZR5H33uU2G4DpQCGlpHv+uTe2ejwiz+CUbP1CcsP0+U4KXMevp+60XS7HDW240fayX7sNpvipdW4ZCkTC387VNDPk3G2H6dNpkiosvkfLQc1aBQfjADgh/NWcBRvf/79ht2TSMm/ccl2VL8HngRBEkRRz146uW4XqLuzWWlWctv3GF//I6kqumLBuirUS9E39YxUopiPgqU5zpBp1vZWPiVUi5sYQ9nYZMz+ZfxW9trd1rcVPudsOaQzSHHiLz7FkH6KVywuzRC18KzaHQW0ljhVPbm3oZxNW8JyNrcqg==
> </SignatureValue>
> </Signature>
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </samlp:Status>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="uuid-1323F186-A065-4588-B5C4-37B12E3BEC95"
> IssueInstant="2013-02-07T17:05:41Z" Version="2.0">
> <saml:Issuer>http://sapient.learn.com</saml:Issuer>
> <saml:Subject>
> <saml:NameID>LEARNSUPPORT</saml:NameID>
> </saml:Subject>
> <saml:Conditions NotBefore="2013-02-07T17:04:41Z"
> NotOnOrAfter="2013-02-07T17:10:41Z">
> <saml:AudienceRestriction/>
> </saml:Conditions>
> <saml:AuthnStatement AuthnInstant="2013-02-07T17:05:41Z"
> SessionNotOnOrAfter="">
> <saml:AuthnContext>
> <saml:AuthnContextClassRef>
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> </saml:AuthnContextClassRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> <saml:AttributeStatement>
> <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eppn">
> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.3" FriendlyName="uid">
> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.4" FriendlyName="sn">
> <saml:AttributeValue>Support</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.7" FriendlyName="l">
> <saml:AttributeValue/>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.42" FriendlyName="givenName">
> <saml:AttributeValue>Learn</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
> FriendlyName="mail">
> <saml:AttributeValue>CJohnson at Taleo.Com</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.101" FriendlyName="C">
> <saml:AttributeValue/>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.102" FriendlyName="UO">
> <saml:AttributeValue/>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.103" FriendlyName="Department">
> <saml:AttributeValue/>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
> </samlp:Response>
>
> Are my assumptions correct regarding POST to my endpoint as detailed above?
> Can anyone see an issue regarding the data in the assertion above? They
> asked about RelayState but that is only valid for SP initiated, correct?
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
More information about the users
mailing list