idpv3.2.1 issues with overdrive.com/libraryreserve.com
Rich Graves
rgraves at carleton.edu
Mon Dec 21 22:26:13 EST 2015
Have other idpv3 sites found workarounds necessary for overdrive.com aka libraryreserve.com?
My test idp3.2.1 seems to be working with every SP except this one. The SP works with idpv2. The response that v3 gets is:
ErrorType=340&details=The+signature+on+the+SAMLresponse+does+not+match+the+expected+value.
Things I've tried:
- Force SHA1 instead of SHA256 digests with shibboleth.SigningConfiguration.SHA1 scoped to specific SPs
- I followed the directions at /confluence/display/IDP30/SecurityConfiguration and it "works" in that I see <ds :DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> and if I force other SPs to use SHA1 instead of SHA256, I can log on to them
- Fiddle with attribute release and NameIDs
- They "should" be fine with transientId and I am sending the same attributes
Observation: idpv3 transientIds are much longer, AAdzZWNyZXQx3A/wlRuqn8bbFDLYcUniAlGBSfrAkhqqCmB8fXImNo6r+2hwVemgErP92TNT83kpb+aWztJ3cGbZdGSSmmFGzMKORHCPPmj9VGxj6NHDkcj1a3IUS7nB5dJTzamyT9R9UIzTMvImntLvE2Xjyg/XhWifaL18d3/ZGkm4yz5CbbG36D3SGDrjaNJ73P+JOQ== versus _c764d8341964b9b3cea5045b4b50e2e8.
More information about the users
mailing list