understanding response to SOAP attribute query
Nate Klingenstein
ndk at internet2.edu
Wed Oct 22 20:25:41 EDT 2014
David,
I think that you're encountering a bug:
90 if (requestContext.getProfileConfiguration() == null) {
91 String msg = "SAML 2 Attribute Query profile is not configured for relying party "
92 + requestContext.getInboundMessage();
93 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.REQUEST_DENIED_URI,
94 msg));
95 log.warn(msg);
96 samlResponse = buildErrorResponse(requestContext);
97 } else {
getInboundMessage should probably be getInboundMessageIssuer. I don't know why you're hitting that code path and others aren't, though. That's where I'd start looking for actual resolution.
Hope this helps,
Nate.
On Oct 22, 2014, at 5:51 PM, David Bantz <dabantz at alaska.edu> wrote:
> After successful authN and SAML response to a vendor SP, the SP disregards the attributes, immediately issuing the following attribute query using the (correct) transient ID sent in the first response:
>
> 15:23:35.546 - DEBUG [PROTOCOL_MESSAGE:113] -
> <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
> <SOAP-ENV:Body>
> <samlp:AttributeQuery xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://howkan.alaska.edu/idp/profile/SAML2/SOAP/AttributeQuery" ID="_E6F1CF2094EFD85C586B0D8CD0329282" IssueInstant="2014-10-22T23:23:35Z" Version="2.0">
> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt</saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference URI="#_E6F1CF2094EFD85C586B0D8CD0329282">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>
> </Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>tAShZ+t+fHp3JdnLtUPjWp1M1bM=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>Tdxbes8Tb5wIOC3tarmg79ZPGtBJXROxoyLwT4AdDXatqLOZL2l8N8QBNlExoIhgWaL0mpGWT847yZvFYNr8oe7adiJ2JlIA4xoNI159xzdr9DJ7D1KjM0k2XtqiObZZM+kFSMW0Q6I2Hhc8ku6+GqF4ZZxP94aWKcpn5WVCxozphzU+XwOCAmJwoNwnCVsROI8aukJFT4Mn9/+jdXwo/3YUqAHIRuESACVNuaDME7mzmycQJyl63o4OmSVpphR+gqe/Eec/of9twy2W/vBmfCZBwfFNjryR7ZYdnpCV+Usq+jTx+jjfbhyu4oJdL5oleyPw7zzxWh5j6DeF0sSiBg==</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509Certificate>...</X509Certificate>
> </X509Data>
> </KeyInfo>
> </Signature>
> <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="urn:mace:incommon:alaska.edu" SPNameQualifier="https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt">_8e5887f31d16ec94f0dffb69c75b6213</saml:NameID>
> </saml:Subject>
> </samlp:AttributeQuery>
> </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
>
> My IdP logs show the following WARN:
>
> WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler:95] - SAML 2 Attribute Query profile is not configured for relying party org.opensaml.ws.soap.soap11.impl.EnvelopeImpl at 2af94feb
>
> And then issues a corresponding SAML response:
>
> DEBUG [PROTOCOL_MESSAGE:74] -
> <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
> <soap11:Body>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f0faf266e14efe840ba8f2a25a32b313" InResponseTo="_E6F1CF2094EFD85C586B0D8CD0329282" IssueInstant="2014-10-22T23:23:35.550Z" Version="2.0">
> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:incommon:alaska.edu</saml2:Issuer>
> <saml2p:Status>
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
> </saml2p:StatusCode>
> <saml2p:StatusMessage>SAML 2 Attribute Query profile is not configured for relying party org.opensaml.ws.soap.soap11.impl.EnvelopeImpl at 2af94feb</saml2p:StatusMessage>
> </saml2p:Status>
> </saml2p:Response>
> </soap11:Body>
> </soap11:Envelope>
>
>
> It’s certainly true that there is no such relying party as org.opensaml.ws.soap.soap11.impl.EnvelopeImpl at 2af94feb in my configuration.
> Should there be? Where did that relying party name come from?
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list