IdP initiated SSO

Mike Flynn shibbolethlynda at yahoo.com
Thu Feb 7 14:20:37 EST 2013 

That would be awesome, Marc.


________________________________
 From: Marc Boorshtein <mboorshtein at gmail.com>
To: Shib Users <users at shibboleth.net> 
Sent: Thursday, February 7, 2013 11:19 AM
Subject: Re: IdP initiated SSO
 

Ok. Older versions of oif had a bug that would cause .net based signature validators to choke and vice versa.  Thought it might be related.
I use to have an opensaml based response validator. If you'd like I can try nd find it and send it to you. 
Marc
On Feb 7, 2013 1:34 PM, "Mike Flynn" <shibbolethlynda at yahoo.com> wrote:

From the IDp:
>
>
>Hi Mike, we don’t actually use OIF for Learn. The Learn product has its own SAML solution, unrelated to OIF, and it’s only IDP-initiated.
>
>
>
>
>________________________________
> From: Mike Flynn <shibbolethlynda at yahoo.com>
>To: Shib Users <users at shibboleth.net> 
>Sent: Thursday, February 7, 2013 10:01 AM
>Subject: Re: IdP initiated SSO
> 
>
>It's Oracle corporation doing this...  I will ask about the version.  There is no relaystate in the assertion.
>
>
>
>________________________________
> From: Marc Boorshtein <mboorshtein at gmail.com>
>To: Shib Users <users at shibboleth.net> 
>Sent: Thursday, February 7, 2013 9:58 AM
>Subject: Re: IdP initiated SSO
> 
>What version of OIF are they using?  I've done several OIF deployments
>and I've never heard of an OIF server that can't do SP initiated when
>they're the IdP.Is there a  RelayState parameter in the post?
>
>Marc
>
>On Thu, Feb 7, 2013 at 12:47 PM, Mike Flynn <shibbolethlynda at yahoo.com> wrote:
>> I have a private fed trying to integrate to my Shib system.  They are
>> running Oracle as the IdP and claim they cannot support SP initiated SSO.
>> All of the Idps that I integrate with all use SP initiated.  I assume that
>> all they should need to do is POST an assertion to my endpoint here:
>>
>>     <md:AssertionConsumerService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Location="http://shib.lynda.com/Shibboleth.sso/SAML2/POST"
 index="1"/>
>>
>>
 They do that and get a 500 error on my servers and my logs show nothing.
>> The assertion they sent is this:
>>
>> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>> Destination="https://shib.lynda.com/Shibboleth.sso/SAML2/POST"
>> ID="uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45" InResponseTo=""
>> IssueInstant="2013-02-07T17:05:41Z"Version="2.0">
>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>> <SignedInfo>
>> <CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <Reference URI="#uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45">
>> <Transforms>
>> <Transform
>>
 Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </Transforms>
>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <DigestValue>C1fVRAnlLEWmsWgb4wKTpEEh84s=</DigestValue>
>> </Reference>
>> </SignedInfo>
>> <SignatureValue>
>> NRfFI3Aj4B8Erl2UFFToEyHhd3CCOXKhklIALutt+3MzuZR5H33uU2G4DpQCGlpHv+uTe2ejwiz+CUbP1CcsP0+U4KXMevp+60XS7HDW240fayX7sNpvipdW4ZCkTC387VNDPk3G2H6dNpkiosvkfLQc1aBQfjADgh/NWcBRvf/79ht2TSMm/ccl2VL8HngRBEkRRz146uW4XqLuzWWlWctv3GF//I6kqumLBuirUS9E39YxUopiPgqU5zpBp1vZWPiVUi5sYQ9nYZMz+ZfxW9trd1rcVPudsOaQzSHHiLz7FkH6KVywuzRC18KzaHQW0ljhVPbm3oZxNW8JyNrcqg==
>> </SignatureValue>
>> </Signature>
>> <samlp:Status>
>>
 <samlp:StatusCode
 Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
>> </samlp:Status>
>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="uuid-1323F186-A065-4588-B5C4-37B12E3BEC95"
>> IssueInstant="2013-02-07T17:05:41Z" Version="2.0">
>> <saml:Issuer>http://sapient.learn.com</saml:Issuer>
>> <saml:Subject>
>> <saml:NameID>LEARNSUPPORT</saml:NameID>
>> </saml:Subject>
>> <saml:Conditions NotBefore="2013-02-07T17:04:41Z"
>> NotOnOrAfter="2013-02-07T17:10:41Z">
>> <saml:AudienceRestriction/>
>> </saml:Conditions>
>> <saml:AuthnStatement AuthnInstant="2013-02-07T17:05:41Z"
>> SessionNotOnOrAfter="">
>> <saml:AuthnContext>
>> <saml:AuthnContextClassRef>
>>
 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>> </saml:AuthnContextClassRef>
>> </saml:AuthnContext>
>> </saml:AuthnStatement>
>> <saml:AttributeStatement>
>> <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eppn">
>> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:2.5.4.3" FriendlyName="uid">
>> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:2.5.4.4" FriendlyName="sn">
>> <saml:AttributeValue>Support</saml:AttributeValue>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:2.5.4.7" FriendlyName="l">
>> <saml:AttributeValue/>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:2.5.4.42"
 FriendlyName="givenName">
>> <saml:AttributeValue>Learn</saml:AttributeValue>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
>> FriendlyName="mail">
>> <saml:AttributeValue>CJohnson at Taleo.Com</saml:AttributeValue>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:2.5.4.101" FriendlyName="C">
>> <saml:AttributeValue/>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:2.5.4.102" FriendlyName="UO">
>> <saml:AttributeValue/>
>> </saml:Attribute>
>> <saml:Attribute Name="urn:oid:2.5.4.103" FriendlyName="Department">
>> <saml:AttributeValue/>
>> </saml:Attribute>
>> </saml:AttributeStatement>
>> </saml:Assertion>
>>
 </samlp:Response>
>>
>> Are my assumptions correct regarding POST to my endpoint as detailed above?
>> Can anyone see an issue regarding the data in the assertion above?  They
>> asked about RelayState but that is only valid for SP initiated, correct?
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>--
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>
>
>--
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>
>--
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130207/df9ae813/attachment.html

More information about the users mailing list