Unsoclicited SSO questions

Peter Schober peter.schober at univie.ac.at
Fri May 29 06:36:49 EDT 2015

* Johan Romin <johan.romin at egbs.se> [2015-05-29 09:45]:
> <div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt">


> So now I will try to explain my issue once again a bit more verbose.

We're all clear about it here.

> This stops shibboleth on the unsolicited servlet and stating that
> the authn request isn't signed on my end. I cannot find how I change
> that my authn is signed by the idp.

There is no "my authn [request]" and it cannot be signed by the IDP
(it would have to be signed by the SP but ...)
Several people have explained this to you already.

> I've read the earlier mail threads and those issues are similar but
> not the same as mine, if I change the metadata on my idp and change
> authnrequestsigned="false" the idp forwards the request to the
> service provider which then is unable to verify the saml response.

I (and other) have told you this before, so it's probably pointless
saying it again, but since what the SP says doesn't make any sense and
is impossible, you change the metadata as indicated and start working
with the SP in the actual problem -- whatever it is!

"Unable to verify the saml response" is what you want them to fix.

That is your/their problem, you can ignore everything else here.

> I am no expert on these things but I think I have missed something
> in the configuration or misunderstood something I need to setup to
> get this to work.

No. There is nothing in the currentl Shibboleth IDP source code that
magically enables the software to do things which are *impossible* and
*nonsencical* *semantically*. Feel free to file a bug for this lack of

* Johan Romin <johan.romin at egbs.se> [2015-05-29 11:48]:
> Thank you for the input. I have tried path 3 to change the
> WantAssertionsSigned but now the sp isn't able to validate my
> assertion.

Then start working with the SP on that issue, as that's the only
technical issue here.

> Is it possible to get the idp to sign the request instead of the sp
> and as such get this to work?

No, and I have explained that to you before.

*I* should be the one refusing to read and answer your HTML-only
emails. Instead you seemingly chose to ignore my replies when I spent
the time to remove bogus HTML tags from your posts and patentialy
explain why that doesn't make any sense, in order to help you solve
your problem, at no cost.
That's what I get from even reading such posts...

More information about the users mailing list