New CAS metadata support in 3.4
Paul B. Henson
henson at cpp.edu
Wed Nov 28 14:35:30 EST 2018
> From: Marvin Addison
> Sent: Wednesday, November 28, 2018 4:16 AM
> To: Shib Users <users at shibboleth.net>
>
> I'm eager to get your feedback on this feature.
I definitely like the concept; per service certificates rather than global and embedded in an existing configuration file rather than requiring separate files. I will probably also like the implementation once I get it working :).
> I believe your problem is here. You need to use the KeyInfo and
> children from the http://www.w3.org/2000/09/xmldsig# namespace, not
> the SAML metadata namespace. I was burned by that myself recently.
Hmm. So just add the "ds:" prefix to the tags? Sometimes XML is a mysterious black box to me, the only sure sign that it is broken is when it fails to parse :). I don't feel so bad about having trouble getting it working when the guy that wrote it sometimes has the same issues ;).
> This line is troubling. A certificate validation error _should_ cause
> the proxy callback check to fail and prevent issuing a PGT. Could you
> please file a Jira issue and attach the logs above and your redacted
> cas-protocol.xml and relying-party.xml files?
Sure, I'll try to put together a minimal failure case.
Thanks...
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | henson at cpp.edu
California State Polytechnic University | Pomona CA 91768
More information about the users
mailing list