Question re: skipEndpointValidationWhenSigned

Jeffrey Williams jfwillia at uncg.edu
Tue May 26 14:47:45 UTC 2020 

I have a vendor whose SP does not include the endpoint for our instance
during endpoint resolution.  It provides the endpoints for other customers,
just not ours.  As such, Shibboleth 3.3.3 dutifully stops the login process
and logs the reason why:

2020-05-05 17:40:06,324 - DEBUG
[org.opensaml.saml.common.binding.AbstractEndpointResolver:220] - Endpoint
Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:
Returning 2 candidate endpoints of type
{urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService
2020-05-05 17:40:06,324 - DEBUG
[org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:126] -
Endpoint Resolver
org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither
candidate endpoint location '
https://app.chromeriver.com/login/sso/saml/consume?customerId=527' nor
response location 'null' matched '
https://app.ca1.chromeriver.com/login/sso/saml/consume?customerId=833'
2020-05-05 17:40:06,324 - DEBUG
[org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:126] -
Endpoint Resolver
org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither
candidate endpoint location '
https://app.chromeriver.com/login/sso/saml/consume?customerId=514' nor
response location 'null' matched '
https://app.ca1.chromeriver.com/login/sso/saml/consume?customerId=833'
2020-05-05 17:40:06,324 - DEBUG
[org.opensaml.saml.common.binding.AbstractEndpointResolver:130] - Endpoint
Resolver org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: No
candidate endpoints met criteria
2020-05-05 17:40:06,325 - WARN
[net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410]
- Profile Action PopulateBindingAndEndpointContexts: Unable to resolve
outbound message endpoint for relying party 'http://www.chromeriver.com':
EndpointCriterion
[type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService,
Binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, Location=
https://app.ca1.chromeriver.com/login/sso/saml/consume?customerId=833,
trusted=false]
2020-05-05 17:40:06,351 - WARN
[org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event
occurred while processing the request: EndpointResolutionFailed

Both the vendor's tech support and myself agree that the endpoint in the
metadata is correct, but the SP is not listing it back to the IdP for
reasons unknown.  I'd much rather have the SP send back the expected
endpoint, but if it doesn't, is there an advisable configuration on the IdP
side that would help?

-- 
Jeffrey Williams
Identity Engineer
Identity & Access Services
https://its.uncg.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200526/f09c7c6e/attachment.htm>

More information about the users mailing list