SP Redirects straight to XML instead of IDP Authentication Page
Peter Schober
peter.schober at univie.ac.at
Mon Nov 17 15:44:18 EST 2014
* Mohammad Rahman <mrahman at brookdalecc.edu> [2014-11-17 21:25]:
> I have the SP metadata inside the ChainingMetadataProvider in my relaying-party.xml file as:
>
> <MetadataProvider xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" id="NetPartner">
> <EntityDescriptor entityID="NetPartner" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://finaid.brookdalecc.edu/NetPartner/NetPartnerStudent/Logon.aspx" />
> </SPSSODescriptor>
> </EntityDescriptor>
> </MetadataProvider>
You can't just paste SAML metadata into you relaying-party.xml.
Try the documentation, putting the metadata into a file on the file
system and reference it from within relaying-party.xml:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider#IdPMetadataProvider-FilesystemMetadataProvider
Once that's done and the container restarted, what will then happen is
that when trying to log in to that SP the IDP will fail with an error
that it cannot encrypt the SAML assertion to the SP, because the SP is
lacking a public key in SAML metadata.
To work around that (and continue sending them unencrypted data)
you'll need to add a RelyingParty element in relaying-party.xml, with
a ProfileConfiguration that overrides the default, setting
encryptAssertions to false.
-peter
More information about the users
mailing list