[External] Re: https://usertest.sciquest.com and specifying acsIndex

Bickel, David jdbickel at iu.edu
Wed Sep 11 13:18:29 EDT 2019 

Thanks for everyone's input on this issue.  In order to get the vendor to resolve it I had to "prove" that they needed to send more information.   Below are the authrequest headers of another school in the list and our schools.  As you can see for the school with working setup the ACS is included as was noted needed to happen in this thread.   

<!--school directly below us in the list -->
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     AssertionConsumerServiceURL="https://usertest.sciquest.com/apps/Router/ExternalAuth/SAML/Login/OtherSchool"
                     Destination="https://shib.other.school.edu/idp/profile/SAML2/POST/SSO"
                     ForceAuthn="true"
                     ID="_e39871593c06f68bf5b526937de9e169"
                     IssueInstant="2019-08-29T21:04:21.761Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >
 <!--what vendor was sending for our institution-->
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     Destination="https://idp.our.school.edu/shibboleth-idp/profile/SAML2/POST/SSO"
                     ID="_de2dc54b422d212a8b77a660c05c569d"
                     IssueInstant="2019-08-29T21:05:26.951Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     >

Thanks,
--David


On 8/27/19, 4:01 AM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:

    This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources.
    -------
    
    * Bickel, David <jdbickel at iu.edu> [2019-08-26 21:39]:
    > When SP Initiated login is attempted our IDP choses the first
    > endpoint and fails.
    
    I get HTTP 403 when I try https://usertest.sciquest.com myself, so
    what does the SAML authenication request say when you attempt
    SP-initiated SSO?
    
    Since it's their SP that generates the request already fully knowing
    the IDP it is for there's no reason it should (1) rely on ACS index in
    the first place instead of specifying the ACS URL itself by value and
    (2) contain the wrong index for your IDP.
    
    (Of course the fact that they require a unique ACS URL and index for
    every IDP is plain silly, but that's vendor SAML implementations for
    you, I guess.)
    
    -peter
    -- 
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
    
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5186 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20190911/35e33685/attachment.p7s>

More information about the users mailing list