Issue with URL re-direct after IDP authentication - signing Assertion

justin9 justin9 at ymail.com
Thu Jul 11 13:30:28 EDT 2013 

Hi Scott,
My IDP update the certificate to the default one which is generated while
installing shib and i still have the same issue, on first attempt after
authenticating its not redirected to my landing page, but if i past my url
and enter then it happens.
attached is my shibboleth2.xml file.
shib2.txt <http://shibboleth.1660669.n2.nabble.com/file/n7588427/shib2.txt>  

what i believe could be the issue is (correct me if im wrong) i dont have
attributes like 

<TrustEngine type="Chaining">
            <TrustEngine type="ExplicitKey"/>
            <TrustEngine type="PKIX"/>
        </TrustEngine>


or 

<md:AssertionConsumerService Location="/SAML2/POST" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign"
index="2"
               
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
            <md:AssertionConsumerService Location="/SAML2/Artifact"
index="3"
               
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
            <md:AssertionConsumerService Location="/SAML/POST" index="5"
               
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
            <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

do i need these or is my shibboleth2.xml is incomplete for assertion
signing.

From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net> 
Sent: Thursday, July 11, 2013 11:15 AM
Subject: RE: Issue with URL re-direct after IDP authentication -	signing
Assertion

> But is there a reason why you suggested not to use a certificate from
> entruch
> but to you the one provided during shib installation ?

That certificate is for server side TLS and that has nothing to do with the
SP's use of a certificate. Unless you'd like for things to break every time
that certificate expires or is renewed, you should not be using it for
purposes other than its intended one.

-- Scott


--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net




--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Issue-with-URL-re-direct-after-IDP-authentication-signing-Assertion-tp7588400p7588427.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

More information about the users mailing list