Shibboleth IdP Issuer
Rawlinson, Philip (rawlinpa)
RAWLINPA at UCMAIL.UC.EDU
Mon Feb 18 11:37:12 EST 2013
We are having issues with our IdP working with the SP https://proxy.ohiolink.edu/shibboleth. The people at OhioLINK are telling us that we are not sending an Issuer which they require. We do not have any specific settings in our IdP configurations for https://proxy.ohiolink.edu/shibboleth and we are both members of the InCommon Federation. We are not intentionally not sending the Issuer. We are looking for reasons why we are not sending the Issuer and how to make our IdP send the Issuer to this SP.
A few other things to note is that Shibboleth is using the SAML 1.0 browser post binding below. We use SAML2 with all other non-ohiolink SPs so I am not sure what is causing that to happen. Here are the 4 possibilities from their metadata in the InCommon file:
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://proxy.ohiolink.edu:9100/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://proxy.ohiolink.edu:9100/Shibboleth.sso/SAML2/Artifact" index="2"/>
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://proxy.ohiolink.edu:9100/Shibboleth.sso/SAML/POST" index="3"/>
<md:AssertionConsumerService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://proxy.ohiolink.edu:9100/Shibboleth.sso/SAML/Artifact" index="4"/>
There is an error in the IdP logs:
10:04:19.277 - ERROR [org.opensaml.ws.security.provider.MandatoryAuthenticatedMessageRule:37] - Inbound message issuer was not authenticated.
10:04:19.278 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler:180] - Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound message issuer was not authenticated.
One of the certificates in the InCommon Metadata file for https://proxy.ohiolink.edu/shibboleth had expired at the end of January, but that has since been updated in the file and we have the latest InCommon Metadata file.
Scott- I know Joseph from OARnet messaged you about part of this last week. He also mentioned that OSU uses SAML1 in their communication with OhioLINK.
Thanks,
Philip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130218/9ad6cea8/attachment-0001.html
More information about the users
mailing list