Processing HTTP_Redirect from idp

Cantor, Scott cantor.2 at osu.edu
Fri Nov 2 18:29:01 EDT 2018 

On 11/2/18, 5:39 PM, "wknight" <wknight at quavermusic.com> wrote:

> Can you help specify? I can't decipher if that's a yes or no?

I said don't change the entityID. Everything else is inevitably a mess and different degrees of breakage and problems, and all I'm saying is: don't change something that is not supposed to change.

>  Should the new SP use the same entityID as the old one? 

Yes.

> If so, then do my values for Host name,entityID, & discoveryURL line up with what you'd expect, given my situation
> & goals?

I imagine, except that that discovery URL is invalid, it's just nothing. Access it, and see.

IdP discovery is how the system determines the IdP to use when the resource is accessed. It assumes direct access to the resource(s), and it has to point to a compliant discovery service such as the EDS tool we have or any of the others scattered around that knows how to work with the SP to return the IdP to use.

Your whole issue with the customers using URLs that are now broken is because you're giving them direct access back into the SP with the IdP preselected. That's a bypass for needing to do the discovery step. Discovery never runs because the IdP is handed to it manually with those links. Which is fine until you have to change the URL, which is where you're at now.

If your SP ever had to use that setting, it would break. I can easily imagine it is, and customers are accessing things in ways nobody is paying attention to and ending up with random failures, but I really have no idea.

If you don't deploy a discovery mechanism, then you can't set that URL, it's really that simple. And if it ever comes into play, then there will be an error regardless, it's just a question as to what type of error shows up.

Maybe it would be simpler if you simply looked at something else like the wiki.

You won't have access to this page, but for illustration:

https://wiki.shibboleth.net/confluence/display/MEMBER/Home

See what happens? That's discovery. That's what the setting is pointing to.

Now take a different tack:

https://wiki.shibboleth.net/confluence/Shibboleth.sso/Login?entityID=urn:mace:incommon:osu.edu

Right? Same links you're asking about. It sends you to my IdP at Ohio State. That bypasses discovery. That's what your customers are doing and why that setting is wrong, but doesn't matter for some definition of "doesn't matter".

But setting it to a completely invalid location is obviously not useful.

-- Scott

More information about the users mailing list