IdP initiated SSO

Mike Flynn shibbolethlynda at yahoo.com
Thu Feb 7 13:01:33 EST 2013 

It's Oracle corporation doing this...  I will ask about the version.  There is no relaystate in the assertion.


________________________________
 From: Marc Boorshtein <mboorshtein at gmail.com>
To: Shib Users <users at shibboleth.net> 
Sent: Thursday, February 7, 2013 9:58 AM
Subject: Re: IdP initiated SSO
 
What version of OIF are they using?  I've done several OIF deployments
and I've never heard of an OIF server that can't do SP initiated when
they're the IdP.Is there a  RelayState parameter in the post?

Marc

On Thu, Feb 7, 2013 at 12:47 PM, Mike Flynn <shibbolethlynda at yahoo.com> wrote:
> I have a private fed trying to integrate to my Shib system.  They are
> running Oracle as the IdP and claim they cannot support SP initiated SSO.
> All of the Idps that I integrate with all use SP initiated.  I assume that
> all they should need to do is POST an assertion to my endpoint here:
>
>     <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="http://shib.lynda.com/Shibboleth.sso/SAML2/POST" index="1"/>
>
> They do that and get a 500 error on my servers and my logs show nothing.
> The assertion they sent is this:
>
> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://shib.lynda.com/Shibboleth.sso/SAML2/POST"
> ID="uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45" InResponseTo=""
> IssueInstant="2013-02-07T17:05:41Z"Version="2.0">
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>C1fVRAnlLEWmsWgb4wKTpEEh84s=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>
> NRfFI3Aj4B8Erl2UFFToEyHhd3CCOXKhklIALutt+3MzuZR5H33uU2G4DpQCGlpHv+uTe2ejwiz+CUbP1CcsP0+U4KXMevp+60XS7HDW240fayX7sNpvipdW4ZCkTC387VNDPk3G2H6dNpkiosvkfLQc1aBQfjADgh/NWcBRvf/79ht2TSMm/ccl2VL8HngRBEkRRz146uW4XqLuzWWlWctv3GF//I6kqumLBuirUS9E39YxUopiPgqU5zpBp1vZWPiVUi5sYQ9nYZMz+ZfxW9trd1rcVPudsOaQzSHHiLz7FkH6KVywuzRC18KzaHQW0ljhVPbm3oZxNW8JyNrcqg==
> </SignatureValue>
> </Signature>
> <samlp:Status>
> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> </samlp:Status>
> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="uuid-1323F186-A065-4588-B5C4-37B12E3BEC95"
> IssueInstant="2013-02-07T17:05:41Z" Version="2.0">
> <saml:Issuer>http://sapient.learn.com</saml:Issuer>
> <saml:Subject>
> <saml:NameID>LEARNSUPPORT</saml:NameID>
> </saml:Subject>
> <saml:Conditions NotBefore="2013-02-07T17:04:41Z"
> NotOnOrAfter="2013-02-07T17:10:41Z">
> <saml:AudienceRestriction/>
> </saml:Conditions>
> <saml:AuthnStatement AuthnInstant="2013-02-07T17:05:41Z"
> SessionNotOnOrAfter="">
> <saml:AuthnContext>
> <saml:AuthnContextClassRef>
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> </saml:AuthnContextClassRef>
> </saml:AuthnContext>
> </saml:AuthnStatement>
> <saml:AttributeStatement>
> <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eppn">
> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.3" FriendlyName="uid">
> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.4" FriendlyName="sn">
> <saml:AttributeValue>Support</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.7" FriendlyName="l">
> <saml:AttributeValue/>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.42" FriendlyName="givenName">
> <saml:AttributeValue>Learn</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
> FriendlyName="mail">
> <saml:AttributeValue>CJohnson at Taleo.Com</saml:AttributeValue>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.101" FriendlyName="C">
> <saml:AttributeValue/>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.102" FriendlyName="UO">
> <saml:AttributeValue/>
> </saml:Attribute>
> <saml:Attribute Name="urn:oid:2.5.4.103" FriendlyName="Department">
> <saml:AttributeValue/>
> </saml:Attribute>
> </saml:AttributeStatement>
> </saml:Assertion>
> </samlp:Response>
>
> Are my assumptions correct regarding POST to my endpoint as detailed above?
> Can anyone see an issue regarding the data in the assertion above?  They
> asked about RelayState but that is only valid for SP initiated, correct?
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130207/408629af/attachment.html

More information about the users mailing list