IdP initiated SSO

Eric Goodman Eric.Goodman at ucop.edu
Thu Feb 7 15:00:07 EST 2013 

Apologies if I'm misunderstanding, but if the SP is trying to simulate initiating a login request, then shouldn't they be sending an "samlp:AuthnRequest" and not a "samlp:Response"? I don't know that this would affect the 500 error, but in the most recent case where we had to do the same thing (work around an SP that can't do SP-initiated SSO) that's the request type they ended up sending us.

--- Eric

From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Mike Flynn
Sent: Thursday, February 07, 2013 9:47 AM
To: Shib Users
Subject: IdP initiated SSO

I have a private fed trying to integrate to my Shib system.  They are running Oracle as the IdP and claim they cannot support SP initiated SSO.  All of the Idps that I integrate with all use SP initiated.  I assume that all they should need to do is POST an assertion to my endpoint here:

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://shib.lynda.com/Shibboleth.sso/SAML2/POST" index="1"/>

They do that and get a 500 error on my servers and my logs show nothing.  The assertion they sent is this:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://shib.lynda.com/Shibboleth.sso/SAML2/POST" ID="uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45" InResponseTo="" IssueInstant="2013-02-07T17:05:41Z"Version="2.0">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>C1fVRAnlLEWmsWgb4wKTpEEh84s=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
NRfFI3Aj4B8Erl2UFFToEyHhd3CCOXKhklIALutt+3MzuZR5H33uU2G4DpQCGlpHv+uTe2ejwiz+CUbP1CcsP0+U4KXMevp+60XS7HDW240fayX7sNpvipdW4ZCkTC387VNDPk3G2H6dNpkiosvkfLQc1aBQfjADgh/NWcBRvf/79ht2TSMm/ccl2VL8HngRBEkRRz146uW4XqLuzWWlWctv3GF//I6kqumLBuirUS9E39YxUopiPgqU5zpBp1vZWPiVUi5sYQ9nYZMz+ZfxW9trd1rcVPudsOaQzSHHiLz7FkH6KVywuzRC18KzaHQW0ljhVPbm3oZxNW8JyNrcqg==
</SignatureValue>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-1323F186-A065-4588-B5C4-37B12E3BEC95" IssueInstant="2013-02-07T17:05:41Z" Version="2.0">
<saml:Issuer>http://sapient.learn.com</saml:Issuer<http://sapient.learn.com%3c/saml:Issuer>>
<saml:Subject>
<saml:NameID>LEARNSUPPORT</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="2013-02-07T17:04:41Z" NotOnOrAfter="2013-02-07T17:10:41Z">
<saml:AudienceRestriction/>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2013-02-07T17:05:41Z" SessionNotOnOrAfter="">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eppn">
<saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.3" FriendlyName="uid">
<saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.4" FriendlyName="sn">
<saml:AttributeValue>Support</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.7" FriendlyName="l">
<saml:AttributeValue/>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.42" FriendlyName="givenName">
<saml:AttributeValue>Learn</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail">
<saml:AttributeValue>CJohnson at Taleo.Com</saml:AttributeValue<mailto:CJohnson at Taleo.Com%3c/saml:AttributeValue>>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.101" FriendlyName="C">
<saml:AttributeValue/>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.102" FriendlyName="UO">
<saml:AttributeValue/>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.103" FriendlyName="Department">
<saml:AttributeValue/>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

Are my assumptions correct regarding POST to my endpoint as detailed above?  Can anyone see an issue regarding the data in the assertion above?  They asked about RelayState but that is only valid for SP initiated, correct?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130207/aea89156/attachment-0001.html

More information about the users mailing list