Is skipEndpointValidationWhenSigned still an issue?
Brent Putman
putmanb at georgetown.edu
Wed May 25 13:48:45 EDT 2016
On 5/25/16 1:28 PM, Yavor Yanakiev wrote:
>
> 2016-05-25 13:23:50,546 - DEBUG
> [org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:126] -
> Endpoint Resolver
> org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:
> Neither candidate endpoint location
> 'https://securelb.imodules.com/controls/login/AssertionConsumerService.aspx?sid=-10680'
> nor response location 'null' matched
> 'https://securelb.imodules.com/controls/login/AssertionConsumerService.aspx?sid=-10680&gid=1'
>
> 2016-05-25 13:23:50,546 - DEBUG
> [org.opensaml.saml.common.binding.AbstractEndpointResolver:130] -
> Endpoint Resolver
> org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: No
> candidate endpoints met criteria
So as Scott said, the skipEndpointValidationWhenSigned isn't working
b/c of the absense of the ProtocolBinding.
So it's then failing back to trying standard metadata-based
validation. And per the above log entry, the metadata doesn't match
what's in the request. The request ACS URL has the additional query
param "gid=1", so it's not valid.
So You either need to 1) fix the metadata, or 2) they need to fix the
ACS URL sent in the request. (Or 3) they need to enhance the request
to include ProtocolBinding, which probably allows the
skipEndpointValidationWhenSigned to work. They should also omit
AssertionConsumerServiceIndex while they're at it.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160525/da6efb68/attachment.html>
More information about the users
mailing list