Internal SP Using HTTP-Redirect instead of HTTP-POST

Garmer, Jack - garmercj garmercj at jmu.edu
Thu May 23 18:37:45 EDT 2019 

Good Evening!

In an effort to create a uniform login experience, complete with MFA, our organization has opted to deploy internal SPs. I'm working with a colleage on setting up one of our first SPs and I'm running into a snag that I can't find the answer to via normal channels. I'm hoping someone here can assist.

We're attempting to authenticate against our development idp environment, it-federation-dev.jmu.edu. In the shibd.log on the SP side, we're seeing this:

2019-05-23 18:26:38 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [2] [default]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST" Destination=https://it-federation-dev.jmu.edu/idp/profile/SAML2/Redirect/SSO ID="_1648fa9b7458e5bb02050562e7902c54" IssueInstant="2019-05-23T22:26:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://itsmapi.jmu.edu/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>

And the SP transaction log shows this:

                2019-05-23 18:26:38|Shibboleth-TRANSACTION.AuthnRequest|||https://it-federation-dev.jmu.edu/idp/shibboleth||||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect||||||


On the idp side, we see this:

DEBUG Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location 'https://it-itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST' nor response location 'null' matched 'https://itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST'

It appears the SP is sending requests to HTTP-Redirect on our idp and I can't figure out why. The metadata on both instruct HTTP-POST as the primary protocol:

SP:
                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://it-itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST" index="0" isdefault="true"/>

Idp:

        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://it-federation-dev.jmu.edu/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://it-federation-dev.jmu.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://it-federation-dev.jmu.edu/idp/profile/SAML2/Redirect/SSO"/>

If I remove the HTTP-POST-SimpleSign and HTTP-Redirect lines from the idp metadata on the SP, I get an HTTP-POST transaction on the SP, but a similar candidate mismatch error on the idp side. What config files should I be paying attention to that would control this behavior? Relying-parties.xml is configured similarly to other SPs we have in place and makes no mention of using HTTP-Redirect. Shibboleth2.xml also makes no mention of HTTP-Redirect.

Thank you for your time!

--
Jack Garmer
Linux Systems Administrator
James Madison University
o. 540-568-4235

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190523/7939636a/attachment.html>

More information about the users mailing list