IdP initiated SSO

Marc Boorshtein mboorshtein at gmail.com
Thu Feb 7 14:19:26 EST 2013


Ok. Older versions of oif had a bug that would cause .net based signature
validators to choke and vice versa.  Thought it might be related.

I use to have an opensaml based response validator. If you'd like I can try
nd find it and send it to you.

Marc
On Feb 7, 2013 1:34 PM, "Mike Flynn" <shibbolethlynda at yahoo.com> wrote:

> From the IDp:
>
> Hi Mike, we don’t actually use OIF for Learn. The Learn product has its
> own SAML solution, unrelated to OIF, and it’s only IDP-initiated.
>
>   ------------------------------
> *From:* Mike Flynn <shibbolethlynda at yahoo.com>
> *To:* Shib Users <users at shibboleth.net>
> *Sent:* Thursday, February 7, 2013 10:01 AM
> *Subject:* Re: IdP initiated SSO
>
> It's Oracle corporation doing this...  I will ask about the version.
>  There is no relaystate in the assertion.
>
>   ------------------------------
> *From:* Marc Boorshtein <mboorshtein at gmail.com>
> *To:* Shib Users <users at shibboleth.net>
> *Sent:* Thursday, February 7, 2013 9:58 AM
> *Subject:* Re: IdP initiated SSO
>
> What version of OIF are they using?  I've done several OIF deployments
> and I've never heard of an OIF server that can't do SP initiated when
> they're the IdP.Is there a  RelayState parameter in the post?
>
> Marc
>
> On Thu, Feb 7, 2013 at 12:47 PM, Mike Flynn <shibbolethlynda at yahoo.com>
> wrote:
> > I have a private fed trying to integrate to my Shib system.  They are
> > running Oracle as the IdP and claim they cannot support SP initiated SSO.
> > All of the Idps that I integrate with all use SP initiated.  I assume
> that
> > all they should need to do is POST an assertion to my endpoint here:
> >
> >    <md:AssertionConsumerService
> > Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> > Location="http://shib.lynda.com/Shibboleth.sso/SAML2/POST" index="1"/>
> >
> > They do that and get a 500 error on my servers and my logs show nothing.
> > The assertion they sent is this:
> >
> > <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> > Destination="https://shib.lynda.com/Shibboleth.sso/SAML2/POST"
> > ID="uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45" InResponseTo=""
> > IssueInstant="2013-02-07T17:05:41Z"Version="2.0">
> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> > <SignedInfo>
> > <CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
> "/>
> > <Reference URI="#uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45">
> > <Transforms>
> > <Transform
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > </Transforms>
> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > <DigestValue>C1fVRAnlLEWmsWgb4wKTpEEh84s=</DigestValue>
> > </Reference>
> > </SignedInfo>
> > <SignatureValue>
> >
> NRfFI3Aj4B8Erl2UFFToEyHhd3CCOXKhklIALutt+3MzuZR5H33uU2G4DpQCGlpHv+uTe2ejwiz+CUbP1CcsP0+U4KXMevp+60XS7HDW240fayX7sNpvipdW4ZCkTC387VNDPk3G2H6dNpkiosvkfLQc1aBQfjADgh/NWcBRvf/79ht2TSMm/ccl2VL8HngRBEkRRz146uW4XqLuzWWlWctv3GF//I6kqumLBuirUS9E39YxUopiPgqU5zpBp1vZWPiVUi5sYQ9nYZMz+ZfxW9trd1rcVPudsOaQzSHHiLz7FkH6KVywuzRC18KzaHQW0ljhVPbm3oZxNW8JyNrcqg==
> > </SignatureValue>
> > </Signature>
> > <samlp:Status>
> > <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
> > </samlp:Status>
> > <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > ID="uuid-1323F186-A065-4588-B5C4-37B12E3BEC95"
> > IssueInstant="2013-02-07T17:05:41Z" Version="2.0">
> > <saml:Issuer>http://sapient.learn.com</saml:Issuer>
> > <saml:Subject>
> > <saml:NameID>LEARNSUPPORT</saml:NameID>
> > </saml:Subject>
> > <saml:Conditions NotBefore="2013-02-07T17:04:41Z"
> > NotOnOrAfter="2013-02-07T17:10:41Z">
> > <saml:AudienceRestriction/>
> > </saml:Conditions>
> > <saml:AuthnStatement AuthnInstant="2013-02-07T17:05:41Z"
> > SessionNotOnOrAfter="">
> > <saml:AuthnContext>
> > <saml:AuthnContextClassRef>
> > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> > </saml:AuthnContextClassRef>
> > </saml:AuthnContext>
> > </saml:AuthnStatement>
> > <saml:AttributeStatement>
> > <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> FriendlyName="eppn">
> > <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:2.5.4.3" FriendlyName="uid">
> > <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:2.5.4.4" FriendlyName="sn">
> > <saml:AttributeValue>Support</saml:AttributeValue>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:2.5.4.7" FriendlyName="l">
> > <saml:AttributeValue/>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:2.5.4.42" FriendlyName="givenName">
> > <saml:AttributeValue>Learn</saml:AttributeValue>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
> > FriendlyName="mail">
> > <saml:AttributeValue>CJohnson at Taleo.Com</saml:AttributeValue>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:2.5.4.101" FriendlyName="C">
> > <saml:AttributeValue/>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:2.5.4.102" FriendlyName="UO">
> > <saml:AttributeValue/>
> > </saml:Attribute>
> > <saml:Attribute Name="urn:oid:2.5.4.103" FriendlyName="Department">
> > <saml:AttributeValue/>
> > </saml:Attribute>
> > </saml:AttributeStatement>
> > </saml:Assertion>
> > </samlp:Response>
> >
> > Are my assumptions correct regarding POST to my endpoint as detailed
> above?
> > Can anyone see an issue regarding the data in the assertion above?  They
> > asked about RelayState but that is only valid for SP initiated, correct?
> >
> > --
> > To unsubscribe from this list send an email to
> > users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130207/fed51360/attachment-0001.html 


More information about the users mailing list