SP - Trying to test copy of server - should this work?

Cantor, Scott cantor.2 at osu.edu
Tue May 3 10:41:57 EDT 2016

> As everything here is SAML 2 (i.e. no back channel stuff), I had hoped that I
> would then be able to test shibboleth authentication on "rms-new" just by
> setting the host file on my laptop to resolve "rms" and "rms-new" to the IP
> Address of "rms-new" - in my head I thought I would then be able to go to
> "rms" on my laptop and behind the scenes it would actually be talking to
> "rms-new" (which is the case) and I hoped/presumed that our (shib) IdP
> would be OK with this as, as far as it was concerned, it would be
> authenticating for the existing "rms" system's SP . . . (?)

It does, provided the new system believes its the old system.

> Looking at the IdP logs, I can see that happening:
> 13:45:10.250 - WARN
> [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:206] - Relying
> party 'https://rms.stir.ac.uk/shibboleth' requested the response to be
> returned to endpoint with ACS URL
> 'http://rms.stir.ac.uk/Shibboleth.sso/SAML2/POST'  and binding

Note that's http, not https.

> - which seems to be saying that it can't find the relying party configuration for
> "https://rms.stir.ac.uk/shibboleth"

That isn't what it's saying.

> <md:AssertionConsumerService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Location="https://rms.stir.ac.uk/Shibboleth.sso/SAML2/POST" index="1"/>

Which is https.

-- Scott

More information about the users mailing list