understanding response to SOAP attribute query

Nate Klingenstein ndk at internet2.edu
Wed Oct 22 20:25:41 EDT 2014 

David,

I think that you're encountering a bug:

90	 if (requestContext.getProfileConfiguration() == null) {
91	 String msg = "SAML 2 Attribute Query profile is not configured for relying party "
92	 + requestContext.getInboundMessage();
93	 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.REQUEST_DENIED_URI, 
94	 msg));
95	 log.warn(msg);
96	 samlResponse = buildErrorResponse(requestContext);
97	 } else {

getInboundMessage should probably be getInboundMessageIssuer.  I don't know why you're hitting that code path and others aren't, though.  That's where I'd start looking for actual resolution.

Hope this helps,
Nate.

On Oct 22, 2014, at 5:51 PM, David Bantz <dabantz at alaska.edu> wrote:

> After successful authN and SAML response to a vendor SP, the SP disregards the attributes, immediately issuing the following attribute query using the (correct) transient ID sent in the first response:
> 
> 15:23:35.546 - DEBUG [PROTOCOL_MESSAGE:113] - 
> <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
>    <SOAP-ENV:Body>
>       <samlp:AttributeQuery xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://howkan.alaska.edu/idp/profile/SAML2/SOAP/AttributeQuery" ID="_E6F1CF2094EFD85C586B0D8CD0329282" IssueInstant="2014-10-22T23:23:35Z" Version="2.0">
>          <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt</saml:Issuer>
>          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>             <SignedInfo>
>                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>                <Reference URI="#_E6F1CF2094EFD85C586B0D8CD0329282">
>                   <Transforms>
>                      <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>                      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                         <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>
>                      </Transform>
>                   </Transforms>
>                   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                   <DigestValue>tAShZ+t+fHp3JdnLtUPjWp1M1bM=</DigestValue>
>                </Reference>
>             </SignedInfo>
>             <SignatureValue>Tdxbes8Tb5wIOC3tarmg79ZPGtBJXROxoyLwT4AdDXatqLOZL2l8N8QBNlExoIhgWaL0mpGWT847yZvFYNr8oe7adiJ2JlIA4xoNI159xzdr9DJ7D1KjM0k2XtqiObZZM+kFSMW0Q6I2Hhc8ku6+GqF4ZZxP94aWKcpn5WVCxozphzU+XwOCAmJwoNwnCVsROI8aukJFT4Mn9/+jdXwo/3YUqAHIRuESACVNuaDME7mzmycQJyl63o4OmSVpphR+gqe/Eec/of9twy2W/vBmfCZBwfFNjryR7ZYdnpCV+Usq+jTx+jjfbhyu4oJdL5oleyPw7zzxWh5j6DeF0sSiBg==</SignatureValue>
>             <KeyInfo>
>                <X509Data>
>                   <X509Certificate>...</X509Certificate>
>                </X509Data>
>             </KeyInfo>
>          </Signature>
>          <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
>             <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="urn:mace:incommon:alaska.edu" SPNameQualifier="https://sp.transactsp.com/shibboleth-sp/mgmt-ualaska-sp.blackboard.com/mgmt">_8e5887f31d16ec94f0dffb69c75b6213</saml:NameID>
>          </saml:Subject>
>       </samlp:AttributeQuery>
>    </SOAP-ENV:Body>
> </SOAP-ENV:Envelope>
> 
> My IdP logs show the following WARN:
> 
> WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.AttributeQueryProfileHandler:95] - SAML 2 Attribute Query profile is not configured for relying party org.opensaml.ws.soap.soap11.impl.EnvelopeImpl at 2af94feb
> 
> And then issues a corresponding SAML response:
> 
> DEBUG [PROTOCOL_MESSAGE:74] - 
> <?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
>    <soap11:Body>
>       <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f0faf266e14efe840ba8f2a25a32b313" InResponseTo="_E6F1CF2094EFD85C586B0D8CD0329282" IssueInstant="2014-10-22T23:23:35.550Z" Version="2.0">
>          <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:incommon:alaska.edu</saml2:Issuer>
>          <saml2p:Status>
>             <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
>                <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
>             </saml2p:StatusCode>
>             <saml2p:StatusMessage>SAML 2 Attribute Query profile is not configured for relying party org.opensaml.ws.soap.soap11.impl.EnvelopeImpl at 2af94feb</saml2p:StatusMessage>
>          </saml2p:Status>
>       </saml2p:Response>
>    </soap11:Body>
> </soap11:Envelope>
> 
> 
> It’s certainly true that there is no such relying party as org.opensaml.ws.soap.soap11.impl.EnvelopeImpl at 2af94feb in my configuration.  
> Should there be?  Where did that relying party name come from?
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list