IdP initiated SSO SP configuration help

Derek Ricciardi dricciardi at mhvfcu.com
Thu Oct 28 18:10:40 UTC 2021 

Hello,

I'm having some trouble configuring my Shibboleth SP for use with IdP initiated SSO. This is the IdP's metadata:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="bpjyTajR3wad3ssQLvH9t51OE8_" cacheDuration="PT1440M" entityID="pfd.digitalinsight.com">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#>
<ds:X509Data>
<ds:X509Certificate> ...snip... </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1: </md:NameIDFormat>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="XML_DATA" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="USER_ID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="FI_ID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="KEEP_ALIVE_URL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>

</md:IDPSSODescriptor>
<md:ContactPerson contactType="administrative">...snip...
</md:ContactPerson>
</md:EntityDescriptor>

You can see it has no SingleSignOnService node so it fails validation. I've added a dummy node and loaded the metadata locally, but Shibboleth tries to use that dummy node to log on, rather than the incoming session from the IdP. I also believe I should be using encryption, which their metadata makes no mention of...so I'm not sure it's correct at all. Below is an example SAML request from the IdP:

<samlp:Response Destination="...snip..."
    ID="pwNA20Jgy1UJs63nFHh4Q_GWUeP" IssueInstant="2021-10-28T16:08:56.907Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">pfd.digitalinsight.com</saml:Issuer>
    <ds:Signature xmlns:ds=http://www.w3.org/2000/09/xmldsig#>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/>
            <ds:SignatureMethod Algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256/>
            <ds:Reference URI="#pwNA20Jgy1UJs63nFHh4Q_GWUeP">
                <ds:Transforms>
                    <ds:Transform Algorithm=http://www.w3.org/2000/09/xmldsig#enveloped-signature/>
                    <ds:Transform Algorithm=http://www.w3.org/2001/10/xml-exc-c14n#/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm=http://www.w3.org/2001/04/xmlenc#sha256/>
                <ds:DigestValue>...snip...</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
            ...snip...
        </ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
                    ...snip...
                </ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
    <saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type=http://www.w3.org/2001/04/xmlenc#Element
            xmlns:xenc=http://www.w3.org/2001/04/xmlenc#><xenc:EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#aes128-cbc/>
            <ds:KeyInfo xmlns:ds=http://www.w3.org/2000/09/xmldsig#>
                <xenc:EncryptedKey><xenc:EncryptionMethod Algorithm=http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p/>
                    <xenc:CipherData>
                        <xenc:CipherValue>...snip...</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>...snip...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAssertion>
</samlp:Response>


I've configured Shibboleth with the correct signing and encryption certificates and I don't receive any errors anywhere that I can see. But rather than logon attempts in the transaction.log this is all I get:

2021-10-28 17:42:19|Shibboleth-TRANSACTION.AuthnRequest|||pfd.digitalinsight.com||||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||||||

Any ideas what my configuration should look like for this IdP? Or is the problem with their metadata?


Derek Ricciardi
Software Development Architect
Mid-Hudson Valley Federal Credit Union
1099 Morton Blvd, Kingston, NY  12401
845-336-4444 X4909
This message and any included attachments are confidential, and are intended for the use of the addressee(s). 
​Unauthorized review, forwarding, printing, copying, distributing, or other such uses is strictly prohibited and 
​may be unlawful. If you received this message in error, or believe you are not authorized to receive it, 
​please promptly delete this message and notify the sender of the error.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211028/6a58c8f8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image968291.png
Type: image/png
Size: 9820 bytes
Desc: image968291.png
URL: <http://shibboleth.net/pipermail/users/attachments/20211028/6a58c8f8/attachment.png>

More information about the users mailing list