Enforcing SAML2/transmission of persistentId for WAYF service?
Stefan Kombrink
stefan.kombrink at uni-ulm.de
Thu Nov 21 03:48:40 EST 2019
Okay, to answer my own question, I had to change the SSO into:
<SSO discoveryProtocol="SAMLDS"
discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Test/wayf">SAML2</SSO>
Now it uses SAML2 and I get an persistentId.
Stefan
Am 21.11.2019 um 08:24 schrieb Stefan Kombrink:
>
> Dear community,
>
> I've got a SP setup, where I require the persistentId, and I want to
> attach a discovery service.
>
> As long as I define a single IdP as entityId I retrieve the
> persistentId during a session:
>
> <SSO entityID="https://idp-test.rz.uni-ulm.de/idp/shibboleth">SAML2
> SAML1</SSO>
>
> *SSO Protocol:* urn:oasis:names:tc:SAML:2.0:protocol
> *Authentication Context Class:* urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
>
> When I switch over to WAYF:
>
> <SSO discoveryProtocol="WAYF" ECP="true"
> discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-Test/wayf/www/WAYF.php">SAML2
> SAML1</SSO>
>
> I do not get the persistentId any longer. Furthermore, I can see the
> Session is using
>
> *SSO Protocol:* urn:oasis:names:tc:SAML:1.1:protocol
> *Authentication Context Class:* urn:oasis:names:tc:SAML:1.0:am:password
>
> To me it seems as if the WAYF forces it to use SAML1, and that's why I
> do not obtain the entityID. Is that so?
>
> Is there a discovery service I could use instead which will be SAML2
> compatible and give me the persistentID?
>
>
> thanks & best regards
>
> Stefan
>
> --
> Kontaktdaten:https://portal.uni-ulm.de/ETB/ab/showPerson.html?pid=46110
>
--
Kontaktdaten: https://portal.uni-ulm.de/ETB/ab/showPerson.html?pid=46110
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191121/fc0a81bd/attachment.html>
More information about the users
mailing list