Shibboleth SP and ADFS

Scott Severtson ssevertson at digitalmeasures.com
Tue Apr 5 17:40:02 EDT 2016


Scott,

Thank you for the insight! This is more than enough for us to pass along to
our client, and ask them to dig in on their side.

Thanks again,
Scott Severtson

On Tue, Apr 5, 2016 at 3:51 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 4/5/16, 3:40 PM, "users on behalf of Scott Severtson" <
> users-bounces at shibboleth.net on behalf of ssevertson at digitalmeasures.com>
> wrote:
>
>
> >
> >Would this be enough from our signature debug log? I've attached the
> client's metadata as well.
>
> It's enough for me to spot that there's no AuthnStatement, so I would
> guess that's the reason for the problem. I have no idea how an ADFS server
> would decide to issue an assertion like that, I've never seen it do that. I
> would guess this isn't ADFS, or maybe it's some feature of the latest
> version. It seems more likely to be some kind of one off.
>
> I am a little surprised it didn't fail outright somehow, but if the result
> was essentially that it didn't produce a session that was usable, I can
> live with that as a result until I can dig into it. Can you say what it
> seems to be doing from an application perspective?
>
> I have a suspicion I know why it might be doing what it's doing, but the
> SP is not meant to be accepting that, and it will not in the future, I can
> tighten it up.
>
> >We're on 2.5.2 because that's the version available in Ubuntu 14.04's
> package repositories; an upgrade would be a significant challenge. Even the
> upcoming 16.04 LTS release only packages 2.5.3. Our SP is used by clients
> from hundreds of universities daily,
> > so we're hesitant to roll our own package at the risk of stability.
>
> If those don't have backported security fixes, they shouldn't be used
> anyway, but it's important to understand that there are bugs that crop up
> that I won't spend time on if I have to do the work to reproduce it on a
> supported platform or version. When I can osmose the issue without doing
> that (like this one), that's fine, but that isn't always true.
>
> >Would you be willing/able to test it against 2.5.6, just to see if it
> works with the most recent version?
>
> It wouldn't in this case; you can file a bug indicating that the result of
> processing the assertion with no AuthnStatement isn't as expected, but it
> wouldn't get you past this issue, the problem here is with the assertion.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160405/d438b0f5/attachment-0001.html>


More information about the users mailing list