SAManage with Shibboleth 3?

Mark Cairney Mark.Cairney at ed.ac.uk
Thu Apr 19 04:46:59 EDT 2018


Hi,

Just to confirm that it is working satisfactorily now.

The hack in the attribute resolver is that in order to give the
application a more "user friendly" domain name a CNAME to it's "real"
FQDN was set up. Therefore the application still "thinks" it's using
it's real FQDN (according to it's internal metadata anyway).

To work around this I added an additional ACS entry with the
"user-friendly" FQDN in it in my local metadata. Not pretty but it works.

Kind regards,
Mark


On 18/04/18 16:53, Tom Scavo wrote:
> On Wed, Apr 18, 2018 at 11:01 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>> Looking at the external doc you provided earlier, [1] I see that SP metadata
>>> can be retrieved via HTTPS.
>>
>> With no expiration, so that's inherently unable to safely support revocation. And it likely won't be modified in a manner that allows a key change to happen safely, which defeats the purpose of doing it.
> 
> As mentioned previously in the thread, there is no certificate in SP
> metadata, so there is nothing to revoke. The metadata is dead simple:
> https://edin.samanage.com/saml/metadata
> 
> Mark, this begs the question: The online metadata contains an
> <md:NameIDFormat> element, so I wonder why that is not working for
> you. Did you include this element in your snapshot in the file system?
> If so, then it should Just Work (TM).
> 
>> I would never pull in a third party metadata source outside of InCommon or another similarly managed source, at least absent other assumptions that I have never seen a vendor meet.
> 
> I'll come back to this after Mark has successfully integrated with the
> SP. I don't want to derail the thread, at least not yet ;-)
> 
> Tom
> 

-- 
/****************************

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: Mark.Cairney at ed.ac.uk
PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


More information about the users mailing list