Zoho Help SP claims no metadata
Baron Fujimoto
baron at hawaii.edu
Tue Jun 16 20:11:51 UTC 2020
Thanks, yes, I also couldn't find a requirement per the standards docs you referenced.
Am I correct that, regardless of this SP's willingness to provide metadata, it will nonetheless be required for configuring the Shib IdP to work with them?
I'm pessimistic we'll be successful in perusading this SP to do the sane thing if they are unconvinced they are not already doing so. If that's the case, are we left with the option of creating metadata for them ourselves?
Given their mention of one of the few pieces of information they will provide being a relay state, does this imply they are expecting IdP-initiated/unsolicited SSO? This would also be a first for us.
I've found this documentation
<https://wiki.shibboleth.net/confluence/display/IDP30/UnsolicitedSSOConfiguration>
Pardon the possibly dumb questions, but I found it a little ambiguous. Where it discusses the request interfaces for SAML 1.x/2, are those to be in the SP metadata? I'm assuming so (since it doesn't make sense to put SP specific info in the IdP's metadata), but would appreciate confirmation.
Assuming it goes in the SP metadata, are those location endpoints defined in AssertionConsumerService elements in the SPSSODescriptor? If not, where do they belong? The example SP metadata here doesn't provide an examples for unsolicited SSO that I see here:
<https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP>
On Tue, Jun 16, 2020 at 12:08:08AM +0000, Nate Klingenstein wrote:
>Baron,
>
>If my memory is correct, I don't think metadata is required in any part of the SSO profile per the standard(lots of MAYs), and there were never good compliance categories standardized anyway. I'll let someone else field the first half of your question -- I haven't done that integration, but I've faced the same issue with many many other SP's.
>
>Influencing vendors and other implementers to just do the sane thing is a big part of the reason we set up and operate SAMLtest and require them to supply metadata to it.
>
>https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf (4.1 in general, esp. 4.1.3.3 and 4.1.5 in this instance)
>
>https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
>
>Hope this helps,
>
>Nate.
>
>
>--------
>The Art of Access ®
>Nate Klingenstein | Principal
>https://www.signet.id/
>
>-----Original message-----
>From: Baron Fujimoto
>Sent: Monday, June 15 2020, 4:39 pm
>To: Shib Users
>Subject: Zoho Help SP claims no metadata
>
>Has anyone set up their IdP to interoperate with the Zoho SP? When I queried about their metadata, they responded, "Please be informed that we do not have possess any specific meta data. However, we will provide login/log out URL and default relay state (Request URL/Response URL)". This lack of metadata, and expectation of its non-availability is unique in our experience. They have some documentation on configuring SAML SSO for non-Shibboleth IdPs here:
>
><https://help.zoho.com/portal/en/kb/desk/for-administrators/user-access-and-security/articles/setting-up-saml-single-signon-for-help-center#How_SAML_Works>
>
>It looks like they are (probably?) referencing the sorts of data that would typically be incorporated into metadata, but deconstructed for GUI type admin interfaces.
>
>Is the SP's metadata not technically required per the standard? Wikipedia suggests it's required, but that's... Wikipedia, and I couldn't find something more authoritative.
--
UH Information Technology Services : Identity & Access Mgmt, Middleware
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
More information about the users
mailing list