Cherwell application (on-prem)
lohrda at jmu.edu
Fri Apr 26 16:55:36 EDT 2019
Not wanting to share too much specific data, which was why I mentioned
We are not specifically wanting to Shib the thick client, but the
portal. We are not choosing the email address, but Windows Login (not
using email is a long story in and of itself). In the SP metadata is:
Attempting to follow two different on-line Cherwell documents (public)
we guessed and put the following in our respected IdP files:
<resolver:AttributeDefinition id="sAMAccountName" xsi:type="ad:Simple"
<resolver:Dependency ref="oud" />
name="sAMAccountName" encodeType="false" />
<afp:PermitValueRule xsi:type="basic:ANY" />
But we get the following error at login:
*SAML Auth failed: An error occured, SAML status codes:
We are running Cherwell v9.3.5.x and our Shib IdP is v3.3.3. Our Shib
IdP is back by a non-AD LDAP directory.
There online docs do not seem to use Shib 3.x speak in their examples.
On 4/26/19 4:18 PM, Cantor, Scott wrote:
> I did a quick review. It's almost vanilla, I'm sending it a NameID in emailAddress format. It had a key and supports encryption. It didn't used to support SHA-2 signatures, but does now. The non-vanilla bit was that I was never able to get it to accept signed responses alone (it claims to, but it didn't work last I tested), so I had to toggle the metadata for it to trigger assertion signing, and that was about all.
> -- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users