SAML2 attribute query authentication for IdPv3

Scott Koranda skoranda at gmail.com
Mon Sep 21 10:49:18 EDT 2015


On Mon, Sep 14, 2015 at 9:30 AM, Scott Koranda <skoranda at gmail.com> wrote:

> Hi,
>
> I have deployed Shib IdPv3 3.x to use as a SAML2 attribute
> authority. I have a number of Shib SPs that use an ePPN
> asserted by an IdP to then query the IdPv3 attribute authority
> for more attributes about the user (the attribute authority is
> managed by a research organization). The IdPv3 is deployed in
> the "normal" way for a backchannel configuration--it uses a
> self-signed X.509 certificate as the key and for TLS.
>
> I need to build out an AD FS 3 custom attribute store using
> .NET 4.5 to do that same thing as the Shibboleth SPs and query
> the attribute authority.
>
> Most of that task is straightforward except for how the client
> authenticates to the attribute authority. The issue is best
> explained in this (unanswered) Stack Overflow post:
>
>
> http://stackoverflow.com/questions/19125896/forcing-asp-net-webapi-client-to-send-a-client-certificate-even-when-no-ca-match
>
> So far my experience is that I will not be able to have the
> client to TLS authentication to the IdPv3 SOAP endpoint.
>
> If I decide to try and instead have the client authenticate by
> signing the attribute query, do I need to make any
> configuration changes to the IdPv3 or will this "just work".
>

For the archive:

The issue was not that explained in the Stack Overflow link.

While developing code for XML signature authentication to the attribute
authority the true issue was revealed--the AD FS 3 service had access to
the X.509 certificate in the local machine store but did not have access to
the private key. Giving access to the private key required another manual
step.

After correcting the permission so that the AD FS 3 process had access to
the private key TLS authentication to the Shib IdPv3-based attribute
authority worked.

Thanks,

Scott K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150921/efaacc76/attachment.html>


More information about the users mailing list