Internal SP Using HTTP-Redirect instead of HTTP-POST
Garmer, Jack - garmercj
garmercj at jmu.edu
Thu May 23 18:37:45 EDT 2019
In an effort to create a uniform login experience, complete with MFA, our organization has opted to deploy internal SPs. I'm working with a colleage on setting up one of our first SPs and I'm running into a snag that I can't find the answer to via normal channels. I'm hoping someone here can assist.
We're attempting to authenticate against our development idp environment, it-federation-dev.jmu.edu. In the shibd.log on the SP side, we're seeing this:
2019-05-23 18:26:38 DEBUG OpenSAML.MessageEncoder.SAML2Redirect  [default]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST" Destination=https://it-federation-dev.jmu.edu/idp/profile/SAML2/Redirect/SSO ID="_1648fa9b7458e5bb02050562e7902c54" IssueInstant="2019-05-23T22:26:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://itsmapi.jmu.edu/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
And the SP transaction log shows this:
On the idp side, we see this:
DEBUG Endpoint Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither candidate endpoint location 'https://it-itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST' nor response location 'null' matched 'https://itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST'
It appears the SP is sending requests to HTTP-Redirect on our idp and I can't figure out why. The metadata on both instruct HTTP-POST as the primary protocol:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://it-itsmapi.jmu.edu/Shibboleth.sso/SAML2/POST" index="0" isdefault="true"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://it-federation-dev.jmu.edu/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://it-federation-dev.jmu.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://it-federation-dev.jmu.edu/idp/profile/SAML2/Redirect/SSO"/>
If I remove the HTTP-POST-SimpleSign and HTTP-Redirect lines from the idp metadata on the SP, I get an HTTP-POST transaction on the SP, but a similar candidate mismatch error on the idp side. What config files should I be paying attention to that would control this behavior? Relying-parties.xml is configured similarly to other SPs we have in place and makes no mention of using HTTP-Redirect. Shibboleth2.xml also makes no mention of HTTP-Redirect.
Thank you for your time!
Linux Systems Administrator
James Madison University
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users