Shibbolth IdP setting isssuer as AudienceRestriction

Alain O'Dea alain.odea at gmail.com
Thu Jun 11 10:06:30 EDT 2015


I am putting together a proof of concept of SAML authentication.

I have Shibboleth IdP configured and working with TestShib.

I have been working with the example app in
https://github.com/onelogin/java-saml to accept the SAML tokens.  So far I
have disabled assertion encryption since their library doesn't support it.

It has a SAML SP at http://localhost:8080/index.jsp that redirects to my
Shibboleth IdP and receives the SAML token at
http://localhost:8080/consume.jsp.  The workflow appears to work in the SP
redirects correctly to the IdP, the login form appears, I authenticate, and
am redirected with a SAML token to http://localhost:8080/consume.jsp.

It almost works but the SAML token has an AudienceRestriction of
http://localhost:8080/index.jsp which is the issuer, not the consumer.  The
saml-java SP rejects this.

Is saml-java doing something incorrect?  How do I get Shibboleth IdP to set
the AudienceRestriction to http://localhost:8080/consume.jsp?

Thanks,
Alain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150611/a48c6515/attachment.html>


More information about the users mailing list