question about IdP initiated SSO

Mark K. Miller max at psu.edu
Fri Jul 26 14:21:36 EDT 2013


On Fri, 26 Jul 2013, Michael A Grady wrote:

> Also, I don't understand how they could care about AuthnRequest 
> settings when you say you are setting this up for IdP-Initiated SSO, 
> which implies that there isn't a real Authn request to start with. 
> (Unless I'm missing something.)

Oh yeah, good catch, Mike!  My bad, I forgot to comment on that.  We are 
NOT doing IdP-Initiated SSO with them.

> On Jul 26, 2013, at 12:54 PM, Mark K. Miller wrote:
>
>>
>> Hi Joy,
>>
>> What metadata are you using for Skillsoft that mentions
>> AuthnRequestsSigned="true"?
>>
>> Several months ago, Penn State convinced them to join InCommon and
>> register their metadata there (entityID="https://sso.skillport.com").
>> That's the metadata I use for them, and I didn't seee the issue you're
>> describing.
>>
>> Hope that helps,
>>
>> Max
>>
>> On Fri, 26 Jul 2013, Joy Veronneau wrote:
>>
>>> Hi,
>>> I am working on configuring our IdP (v 2.3.3) with Skillsoft. We want to use
>>> IdP initiated SSO, and we also use IdP initiated SSO for some other vendors
>>> (WebEx and WorkDay among them.)
>>>
>>> My question centers around using
>>> AuthnRequestsSigned="true"
>>>
>>> in the Skillsoft SP metadata. If I set this to false, then everything works.
>>> If I set it to true, as they would like it set, then I get this error on the
>>> IdP:
>>>
>>> 11:37:28.033 - ERROR
>>> [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:87] -
>>> SPSSODescriptor for entity ID 'https://sso.skillport.com' indicates
>>> AuthnRequests must be signed, but inbound message was not signed
>>> 11:37:28.038 - WARN[edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:34
>>> 8] - Message did not meet security requirements
>>> org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest was
>>> required to be signed but was not
>>>
>>> Is there a way to configure IdP initiated SSO for AuthnRequestsSigned="true"
>>> without breaking our other IdP initiated SSO implementations?
>>>
>>> Thanks,
>>>
>>> Joy
>>>
>>>
>>>
>>>
>>>
>> --
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>
> --
> Michael A. Grady
> Senior IAM Consultant, Unicon, Inc.
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>


More information about the users mailing list