SAML 1.1 IdP connecting to Shibboleth SP

Matthew Vliet matt.vliet at gmail.com
Wed Nov 26 17:11:24 EST 2014 

I'm currently trying to connect a SAML 1.1 based IdP (Jasig CAS) to our
existing Shibboleth 2.5 SP and having some issues with configuration on the
SP side.  Any help or pointers to the correct docs is greatly appreciated.

tl;dr Is it possible to configure a Shibboleth SP to accept SAML 1.1
Artifact based logins where the Issuer is not the address of the IdP server?



I am using https://my-sp in place of my actual SP server address for all
examples.  https://localhost:8443 is the correct address for the IdP, as I
am running a development server to test against at the moment.

The Idp is initiating SSO via Browser Artifact with a url of the form:

https://localhost:8443/cas/login?TARGET=https://my-sp/Shibboleth.sso/SAML/Artifact


I have written a metadata file for the SAML1.1 IdP as follows:

<EntityDescriptor validUntil="2020-01-01T00:00:00Z" entityID="
https://localhost:8443">
    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol">
        <KeyDescriptor>
              <!-- SNIP -->
        </KeyDescriptor>

        <ArtifactResolutionService index="1"
            Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
            Location="
https://localhost:8443/cas/samlValidate?TARGET=https://my-sp/Shibboleth.sso/SAML/Artifact
"/>

        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

        <!-- snip -->

    </IDPSSODescriptor>
</EntityDescriptor>



If the entityID is of the form "https://localhost:8443", then It will
correctly match the metadata to the artifact and successfully complete the
SOAP artifact resolution and return a SAML assertion such as:

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/
">
  <SOAP-ENV:Body>
    <saml1p:Response xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2014-11-25T09:20:46.857Z" MajorVersion="1" MinorVersion="1"
Recipient="https://my-sp/Shibboleth.sso/SAML/Artifact"
ResponseID="_b8c3e1fc01d31c8b40454ba9d50174ab">
      <saml1p:Status>
        <saml1p:StatusCode Value="saml1p:Success"/>
      </saml1p:Status>
      <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_86624c275508dd631176992019173f52"
IssueInstant="2014-11-25T09:20:46.857Z" Issuer="localhost" MajorVersion="1"
MinorVersion="1">
        <saml1:Conditions NotBefore="2014-11-25T09:20:46.857Z"
NotOnOrAfter="2014-11-25T09:21:16.857Z">
          <saml1:AudienceRestrictionCondition>
            <saml1:Audience>https://my-sp/Shibboleth.sso/SAML/Artifact
</saml1:Audience>
          </saml1:AudienceRestrictionCondition>
        </saml1:Conditions>
        <saml1:AuthenticationStatement
AuthenticationInstant="2014-11-25T09:20:45.819Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
          <saml1:Subject>
            <saml1:NameIdentifier>casuser</saml1:NameIdentifier>
            <saml1:SubjectConfirmation>

<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod>
            </saml1:SubjectConfirmation>
          </saml1:Subject>
        </saml1:AuthenticationStatement>
      </saml1:Assertion>
    </saml1p:Response>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


As you can see in the above assertion, the issuer is "localhost".  This
does not match the entityID, and the login will be rejected with an error
message of:

2014-11-26 04:50:39 DEBUG XMLTooling.SOAPClient [2]: received XML:
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><saml1p:Response
xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2014-11-26T04:49:55.453Z" MajorVersion="1" MinorVersion="1"
Recipient="https://my-sp/Shibboleth.sso/SAML/Artifact"
ResponseID="_5c4ff68cb15ae64e0114e44c36ed27ab"><saml1p:Status><saml1p:StatusCode
Value="saml1p:Success"/></saml1p:Status><saml1:Assertion
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="_8f6ef07740a898cfe6a8086505d1b5d5"
IssueInstant="2014-11-26T04:49:55.453Z" Issuer="localhost" MajorVersion="1"
MinorVersion="1"><saml1:Conditions NotBefore="2014-11-26T04:49:55.453Z"
NotOnOrAfter="2014-11-26T04:50:25.453Z"><saml1:AudienceRestrictionCondition><saml1:Audience>
https://my-sp/Shibboleth.sso/SAML/Artifact</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement
AuthenticationInstant="2014-11-26T04:49:54.460Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>casuser</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></saml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
2014-11-26 04:50:39 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]:
evaluating message flow policy (replay checking on, expiration 60)
2014-11-26 04:50:39 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]:
evaluating message flow policy (replay checking on, expiration 60)
2014-11-26 04:50:39 DEBUG XMLTooling.StorageService [2]: inserted record
(_5c4ff68cb15ae64e0114e44c36ed27ab) in context (MessageFlow) with
expiration (1416977635)
2014-11-26 04:50:39 DEBUG Shibboleth.SSO.SAML1 [2]: processing message
against SAML 1.x SSO profile
2014-11-26 04:50:39 DEBUG Shibboleth.SSO.SAML1 [2]: extracting issuer from
SAML 1.x assertion
2014-11-26 04:50:39 WARN Shibboleth.SSO.SAML1 [2]: detected a problem with
assertion: An Issuer was supplied that conflicts with previous results.


If I change the entityID in the metadata above to be "localhost" (the same
as the issuer), then the login will fail immediatly after getting the
artifact with an error message of:

2014-11-26 21:16:07 DEBUG OpenSAML.MessageDecoder.SAML1Artifact [1]:
attempting to determine source of artifact(s)...
2014-11-26 21:16:07 ERROR OpenSAML.MessageDecoder.SAML1Artifact [1]:
metadata lookup failed, unable to determine issuer of artifact
(0x000152b0f60090d28de8c6f443a2e2f03f206b0aed2c03d80cf76946cd6768a04b71482f25d4f6265d14)


Is what I'm doing possible?  If so what is the correct way to specify the
metadata of the idp?
Can you specify the entityID in the Artifact URL when sending the artifact?


Cheers,
Matthew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141126/8b23b39d/attachment-0001.html

More information about the users mailing list