IDP03 unsolicited sso support
Alexander Galilov
alexander.galilov at gmail.com
Thu May 7 11:49:56 EDT 2015
Salesforce provided metadata:
...
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
...
I changed AuthnRequestsSigned to false and got Shibboleth logon page by
going to
https://iis.authasas.local/idp/profile/SAML2/Unsolicited/SSO?providerId=https://authtest.my.salesforce.com
Now I have another issue from Salesforce SAML validator:
Subject:
AAdzZWNyZXQxKb+vKRzExCggvlsBj11cPO1e4b8KwJYq42uI5hcOaLP04CqFfzHS3zmHQiOPqvg5F9kn9oKHG1Ec0g88Mt0QlgImEP3lwJ3tHK75bi9yE8S/2RFQIoEMAg1wNZmeA7DG2+HI
Unable to map the subject to a Salesforce.com user
AssertionId: _57a74f9acf0ac809af03319e395d1a50
Now I am working on this issue.
2015-05-07 16:55 GMT+03:00 Cantor, Scott <cantor.2 at osu.edu>:
> On 5/7/15, 9:32 AM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
>
> >* Alexander Galilov <alexander.galilov at gmail.com> [2015-05-07 14:56]:
> >> 2015-05-07 15:49:33,070 - ERROR
> >>
> [org.opensaml.saml.saml2.binding.security.impl.SAML2AuthnRequestsSignedSecurityHandler:75]
> >> - SPSSODescriptor for entity ID 'https://authtest.my.salesforce.com'
> >> indicates AuthnRequests must be signed, but inbound message was not
> signed
> >
> >If that vendor indeed communicates (via SAML metadata) that the
> >authentication requests it generates need to by signed by it, then
> >they better start generating authentication requests.
> >I'd open a support request for them to get SP-initiated SSO working,
> >instead of messing around with IDP-initiated.
>
> Salesforce *is* SP initiated, it works as well as any other bad
> implementation. I believe their metadata is broken and indicates it's going
> to sign the requests, but doesn't. That's certainly the cause of the error
> anyway, which should be pretty self-evident.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150507/abb6c631/attachment.html>
More information about the users
mailing list