"invalid" EntityID attempting Salesforce-Shibb integration

Brent Putman putmanb at georgetown.edu
Mon Aug 10 21:24:31 EDT 2015

On 8/10/15 8:42 PM, IAM David Bantz wrote:
> I'm attempting to configure a Salesforce application with our
> Shibboleth IdP. The Salesforce SAML configuration page requires
> piecemeal input of the elements of the IdP metadata. Most of the
> requested data is accepted, but the form rejects our institutional
> EntityID as "invalid" apparently because it is in urn:mace:incommon...
> format rather than a URL.

Well, if they require that, they're just wrong. Period.   A SAML
entityID is a URI, it is not required to be a URL subtype.

> If not, any suggestions to try?

Other than the obvious - telling them that their software is broken and
making them fix it - I believe both v2 and v3 IdP's can be configured to
respond under a different entityID for particular relying parties. 

In the v2 custom schema, it's here [1], the 'provider' attribute on a
RelyingParty element.

In v3, I believe it's 'responderId' on a RelyingPartyConfiguration bean
[2].  Don't know if we have an example in the wiki somewhere, a wiki
search for 'responderId' doesn't turn up anything for me.

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/IdPRelyingParty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150810/318d43f8/attachment-0001.html>

More information about the users mailing list