Shibboleth SP3 is not doing POST
Mak, Steve
makst at upenn.edu
Thu Mar 26 08:07:05 EDT 2020
Add this to your <SSO> element: outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
This assumes that the IdP metadata you have has an HTTP-POST SSO Service.
From: users <users-bounces at shibboleth.net> on behalf of uraikwar <umesh.raikwar at gmail.com>
Reply-To: Shib Users <users at shibboleth.net>
Date: Thursday, March 26, 2020 at 05:57
To: "users at shibboleth.net" <users at shibboleth.net>
Subject: Shibboleth SP3 is not doing POST
We have an SP initiated SSO setup for our product which combines Shibboleth SP3 and PingFed IDP. Everything works fine. We are using Shibboleth v3.0.2. Now there is a change in requirement, we need to a show massage to User before redirecting to IPD login page and after successful authentication before redirecting to originating product URL. As per Shibboleth SP3 documentation at https://wiki.shibboleth.net/confluence/display/SP3/ConfigurationFileSummary. It seems that customizing bindingTemplate.html and postTemplate.html can solve my problem. However, it needed to change SAML artifact binding to use POST rather than a redirect. As per documentation found at https://wiki.shibboleth.net/confluence/display/SP3/SSO, postArtifact="true" can change the behaviour. However, doing these changes in shibboleth2.xml, there is no change in behaviour. Still, SP is doing a redirect to IDP and bindingTemplate.html & postTemplate.html not coming in picture. This is my shibboleth2.xml-
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="180">
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<ApplicationDefaults entityID="PLM-QA-TYPE"
REMOTE_USER="uid eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http" postTemplate="postTemplate.html">
<SSO entityID="https://entityid.com" postArtifact="true" template="bindingTemplate.html"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF" >
SAML2
</SSO>
<Logout>SAML2 Local</Logout>
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root at localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" use="signing"
key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
Here, I added postTemplate="postTemplate.html" and postArtifact="true" template="bindingTemplate.html" over existing configuration. Can someone help me to identify, what wrong I am doing? Thanks in advance.
________________________________
Sent from the Shibboleth - Users mailing list archive<https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html> at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200326/043e483c/attachment.html>
More information about the users
mailing list