Shibboleth SP and ADFS

Scott Severtson ssevertson at
Tue Apr 5 15:40:52 EDT 2016


Would this be enough from our signature debug log? I've attached the
client's metadata as well.

<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
IssueInstant="2016-04-04T20:52:25.579Z" Version="2.0"><Issuer></Issuer><Subject><NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">cd839 at</NameID><SubjectConfirmation
NotOnOrAfter="2016-04-04T20:57:25.579Z" Recipient=""></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions
cd839 at</AttributeValue></Attribute></AttributeStatement></Assertion>

This message corresponds to the previously provided log output.

We're on 2.5.2 because that's the version available in Ubuntu 14.04's
package repositories; an upgrade would be a significant challenge. Even the
upcoming 16.04 LTS release only packages 2.5.3. Our SP is used by clients
from hundreds of universities daily, so we're hesitant to roll our own
package at the risk of stability.

All our other clients are members of InCommon or other country-specific
federations; this particular client had issues that necessitated us
consuming their own self-published metadata.

Would you be willing/able to test it against 2.5.6, just to see if it works
with the most recent version?

Many thanks,
Scott Severtson
Digital Measures

On Tue, Apr 5, 2016 at 3:09 PM, Cantor, Scott <cantor.2 at> wrote:

> > Has anyone run into the blank session ID issue? Anything else we or they
> > should be doing to debug the problem?
> I can't really think offhand how it's possible for that to happen, but it
> would take some code review, and I won't spend that time unless you
> reproduce the issue on the supported version (and then you can feel free to
> file a bug on it).
> A full log trace might give me a hint about it. Presumably it's got
> something to do with the message, so that's the place to look.
> I would have to run a sample message (without encryption on ideally)
> through the code to debug it, I just need the metadata being used to
> provision a test. With encryption on it would not work unless I had the
> key, so that's not ideal. I don't think it would have any impact on the
> issue whether it's on or off, but if you can't get a non-encrypted test
> from the IdP, that doesn't leave good options apart from generating a dummy
> keypair for a test that you could attach to a bug report.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FederationMetadata.xml
Type: text/xml
Size: 19453 bytes
Desc: not available
URL: <>

More information about the users mailing list