funny AssertionConsumerService URL

Martin Haase Martin.Haase at DAASI.de
Thu Feb 13 13:22:33 EST 2014 

Hi Scott,

Am 13.02.2014 18:31, schrieb Cantor, Scott:
> On 2/13/14, 11:50 AM, "Martin Haase" <Martin.Haase at DAASI.de> wrote:
>
>> Hi,
>> maybe I'm naive, but I always thought it is the ServerName directive
>> that determines the SP's ACS URL when UseCanonicalName is On.
> It is when you directly access a resource because the target in that case
> is self-referential.
Ah, I see, thanks for clarification.
>> By bugtracking this afternoon on some customer site, I learned that the
>> target parameter dictates it as well. Might be sensible for other vhosts
>> on the same box, but why does something like
>> https://mysp.example.de/Shibboleth.sso/Login?target=http://www.google.de
>> create, in the SAML Request, an ACS URL of
>> http://www.google.de/Shibboleth.sso/SAML2/POST? Just asking...The IdP
>> turns it down of course, but I had expected the real ACS URL in the
>> request, and the SP redirecting to Google after AuthN.
> Because otherwise you end up with a loop when the ACS and final resource
> don't share cookies. 
Dont' get me wrong, I'm not expecting google and mysp sharing cookies ;)
- and why should they loop back to me?

> Rationalizing based on target prevents hard to
> diagnose errors by turning them into a simpler one (or in the case of a
> typical situation, actually prevents the errors outright by issuing the
> correct request).
In this case I was awarded by an (Shibboleth) IdP error that told me
nothing, without having access to its logs. But yeah, I saw the wrong
ACS URL in the SAMLTracer then, and wondered... out of curiosity, how is
this "rationalizing based on targets" done actually, how do you compute
that funny URL?

> There are also settings to limit off-host redirects, but I don't recall
> when they come into play. They may prevent feeding in a target like that,
> but I'm not certain.
Given these settings, wouldn't it be sensible to rather put the real ACS
URL into the Request?

Cheers,
Martin

>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
Dr. Martin Haase, Solutions Engineer

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                
Germany                    

phone: +49 7071 407109-6
fax:   +49 7071 407109-9  
email: martin.haase at daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2345 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20140213/ae840a60/attachment-0001.bin

More information about the users mailing list