Shibboleth SP and ADFS

Cantor, Scott cantor.2 at
Tue Apr 5 15:51:43 EDT 2016

On 4/5/16, 3:40 PM, "users on behalf of Scott Severtson" <users-bounces at on behalf of ssevertson at> wrote:

>Would this be enough from our signature debug log? I've attached the client's metadata as well.

It's enough for me to spot that there's no AuthnStatement, so I would guess that's the reason for the problem. I have no idea how an ADFS server would decide to issue an assertion like that, I've never seen it do that. I would guess this isn't ADFS, or maybe it's some feature of the latest version. It seems more likely to be some kind of one off.

I am a little surprised it didn't fail outright somehow, but if the result was essentially that it didn't produce a session that was usable, I can live with that as a result until I can dig into it. Can you say what it seems to be doing from an application perspective?

I have a suspicion I know why it might be doing what it's doing, but the SP is not meant to be accepting that, and it will not in the future, I can tighten it up.

>We're on 2.5.2 because that's the version available in Ubuntu 14.04's package repositories; an upgrade would be a significant challenge. Even the upcoming 16.04 LTS release only packages 2.5.3. Our SP is used by clients from hundreds of universities daily,
> so we're hesitant to roll our own package at the risk of stability.

If those don't have backported security fixes, they shouldn't be used anyway, but it's important to understand that there are bugs that crop up that I won't spend time on if I have to do the work to reproduce it on a supported platform or version. When I can osmose the issue without doing that (like this one), that's fine, but that isn't always true.

>Would you be willing/able to test it against 2.5.6, just to see if it works with the most recent version?

It wouldn't in this case; you can file a bug indicating that the result of processing the assertion with no AuthnStatement isn't as expected, but it wouldn't get you past this issue, the problem here is with the assertion.

-- Scott

More information about the users mailing list