SOAP SLO handler: what would it be used for?

Andrew Morgan morgan at orst.edu
Wed Apr 16 17:27:32 EDT 2014 

On Wed, 16 Apr 2014, Tom Scavo wrote:

> On Wed, Apr 16, 2014 at 1:07 PM, Wessel, Keith <kwessel at illinois.edu> wrote:
>>
>> We’ve decided, since nobody’s using it, to get rid of back-channel handler
>> support on our IDP.
>
> That's good news. Your metadata (and your configuration) will be
> greatly simplified.
>
>> I encourage others to consider this route.
>
> Indeed. For new IdPs, it's mostly a no-brainer. Here are some
> preliminary thoughts on this issue:
>
> https://spaces.internet2.edu/x/4YHYAg
>
> Those recommendations have not yet been vetted, however, so take them
> with a grain of salt. If anyone has comments or suggestions, I'd like
> to hear them.

I'm planning to publish metadata to InCommon soon, so this topic is very 
interesting.  I have a default-ish install of the IDP with, I assume, all 
the endpoints enabled.

I'm thinking of doing the following to remove Shibboleth 1.0 support, 
SAML1 support, attribute query support, and artifact resolution support:

1. In metadata/idp-metadata.xml, set:

     <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

   (remove urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol)

2. In metadata/idp-metadata.xml, remove these from the IDPSSODescriptor 
section:

     <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://login.oregonstate.edu:8243/idp-dev/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
     <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://login.oregonstate.edu:8243/idp-dev/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
     <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
     <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://login.oregonstate.edu/idp-dev/profile/Shibboleth/SSO"/>

3. In metadata/idp-metadata.xml, set:

     <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

   (remove urn:oasis:names:tc:SAML:1.1:protocol)

4. In metadata/idp-metadata.xml, remove these from the 
AttributeAuthorityDescriptor section:

     <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://login.oregonstate.edu:8243/idp-dev/profile/SAML1/SOAP/AttributeQuery"/>
     <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://login.oregonstate.edu:8243/idp-dev/profile/SAML2/SOAP/AttributeQuery"/>
     <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

5. In conf/handler.xml, remove:

     <ph:ProfileHandler xsi:type="ph:ShibbolethSSO" inboundBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
                        outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:profiles:browser-post
                                                    urn:oasis:names:tc:SAML:1.0:profiles:artifact-01">
         <ph:RequestPath>/Shibboleth/SSO</ph:RequestPath>
     </ph:ProfileHandler>

     <ph:ProfileHandler xsi:type="ph:SAML1AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                        outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
         <ph:RequestPath>/SAML1/SOAP/AttributeQuery</ph:RequestPath>
     </ph:ProfileHandler>

     <ph:ProfileHandler xsi:type="ph:SAML1ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                        outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
         <ph:RequestPath>/SAML1/SOAP/ArtifactResolution</ph:RequestPath>
     </ph:ProfileHandler>

     <ph:ProfileHandler xsi:type="ph:SAML2ECP" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                        outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
         <ph:RequestPath>/SAML2/SOAP/ECP</ph:RequestPath>
     </ph:ProfileHandler>

     <ph:ProfileHandler xsi:type="ph:SAML2AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                        outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
         <ph:RequestPath>/SAML2/SOAP/AttributeQuery</ph:RequestPath>
     </ph:ProfileHandler>

     <ph:ProfileHandler xsi:type="ph:SAML2ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                        outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
         <ph:RequestPath>/SAML2/SOAP/ArtifactResolution</ph:RequestPath>
     </ph:ProfileHandler>

6. In conf/handler.xml, remove 
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" from the 
outboundBindingEnumeration values.


Does that about cover it?

 	Andy

More information about the users mailing list