NOT a heartbleed question

[Martin, Andrew J.]

One last note regarding IDP initiated SSO -

I found that on our 2.3.6 IdP that had been upgraded from an earlier version - the configuration file must have carried over from an earlier version, since IdP initiated SSO was not enabled by default.  I had to explicitly add the <ProfileHandler> and message decoder into my handler.xml and internal.xml files manually.

The wiki page does mention this. Just an FYI if you run into a similar situation in which your IdP doesn't recognize the "/idp/profile/SAML2/Unsolicited/SSO" path out of the box.

-Andy

From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Paul Hethmon
Sent: Thursday, April 10, 2014 2:26 PM
To: Shibboleth Users
Subject: Re: NOT a heartbleed question


On Apr 10, 2014, at 2:11 PM, Bryan E. Wooten <bryan.wooten at utah.edu<mailto:bryan.wooten at utah.edu>> wrote:


First they want to do IDP initiated login. We have never done that before. Is it as easy as I am lead to believe from this wiki page:

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO

All need is a link like this: https://myidp.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=someid&shire=providerURL

Yes, that's pretty much it.

The vendor does not supply meta-data. I thought that was a requirement.

You will have to create a metadata file for Shib to read from their data. One thought on that is to give them a metadata file with the entityID, ACS URL's empty and tell them to fill it in.



And last does my 2.3.5 IDP meet these requirements out of the box or do I have work to do (beyond just configuration)?


Yes, all of that is specified by the SAML spec itself.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140410/fe293c42/attachment.html