IDP3: Is it possible to add a second recipient endpoint

Dan Malone dmalone at calpoly.edu
Mon Nov 26 12:37:02 EST 2018 

This is probably not a preferred solution, but I've been tasked to determine if it is technically possible.
And, yes, we did dig ourselves into this hole and are working on a plan to get out, but other timelines do not want to wait...

Here's the scenario:

 1. We currently have IDPv3 running behind an OLD hardware load balancer with SSL offloading.
 2. This old load balancer does not support newer ciphers, including those with Perfect Forward Secrecy.
 3. Apple is requiring PFS on OSX and iOS applications.
 4. New SP added for an application that has a desktop client with an embedded browser that requires PFS.
 5. Expectation has been set that the new application be available after winter break.

So, among others, a short term solution has been proposed to bring up a very light weight virtual load balancer that supports the newer ciphers. This virtual load balancer would not be able to handle all of our IDP traffic, but can handle the traffic for this one SP. The OLD load balancer endpoint is idp.calpoly.edu..., the virtual load balancer would have an endpoint of idp.calpoly.org..., everything else being the same.

The error we see in the logs is:

    2018-11-26 08:34:39,496 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200] - Message Handler:  SAML message intended destination endpoint 'https://idp.calpoly.org/idp/profile/SAML2/Redirect/SSO' did not match the recipient endpoint 'https://idp.calpoly.edu/idp/profile/SAML2/Redirect/SSO'
    2018-11-26 08:34:39,498 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:202] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
    org.opensaml.messaging.handler.MessageHandlerException: SAML message failed received endpoint check
         at org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler.checkEndpointURI(ReceivedEndpointSecurityHandler.java:202)

So, here is the question:

On the IDP, is it possible to configure a second recipient endpoint that has a different domain name, allowing the IDP to pass the check causing the error above?

Thanks,
Dan







-- 
Dan Malone
Lead Identity Management Architect
Information Technology Services
California Polytechnic State University
San Luis Obispo, California

Direct 805-756-6326
dmalone at calpoly.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181126/74876bb7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4207 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20181126/74876bb7/attachment.p7s>

More information about the users mailing list