authnrequest with no ACS info

Paul B. Henson henson at cpp.edu
Thu Oct 27 22:47:14 UTC 2022 

So I'm trying to get a new integration going with a company that clearly doesn't have much experience with SAML; the first hurdle was trying to explain to them why they could not issue a GET request to the POST binding <sigh>. After that the ad hoc metadata provided was not schema compliant:

Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.b: The content of element 'md:Organization' is 
not complete. One of '{"urn:oasis:names:tc:SAML:2.0:metadata":OrganizationName, "urn:oasis:names:tc:SAML:2.0:m
etadata":OrganizationDisplayName}' is expected.

Once I fixed that locally, the next issue I've run into is that they are not specifying an ACS URL or index in the authentication request:

<samlp:AuthnRequest xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="idf10332cd3cd5496abe98beacb566c16e"
                    Version="2.0"
                    IssueInstant="2022-10-27T22:27:30.3067903Z"
                    Destination="https://idp.cpp.edu/idp/profile/SAML2/Redirect/SSO"
                    IsPassive="false"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
    <saml:Issuer>https://v2-dev.jdxpert.com/</saml:Issuer>
    <saml:Conditions>
        <saml:AudienceRestriction>
            <saml:Audience>https://idp.cpp.edu/idp/shibboleth</saml:Audience>
            <saml:Audience>https://v2-dev.jdxpert.com/</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
</samlp:AuthnRequest>

The idp is barfing with the error:

2022-10-27 15:27:30,571 - 10.104.223.94/node01jjw0xrby5vg8lklg390nh7b2590633 - WARN [net.shibboleth.idp.saml.p
rofile.impl.PopulateBindingAndEndpointContexts:420] - Profile Action PopulateBindingAndEndpointContexts: Unabl
e to resolve outbound message endpoint for relying party 'https://v2-dev.jdxpert.com/': EndpointCriterion [typ
e={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, trusted=false]

I was going to go yell at them about that missing, but after double checking the schema, the AssertionConsumerServiceIndex and AssertionConsumerServiceURL attributes are both marked as optional. I'm assuming whatever they are doing probably works with <random goofy commercial service>, so before I tell them they are doing something wrong I'd like to confirm the expected behavior in the scenario. They do have an ACS URL in their metadata:

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cpp.jdxpert.com/Saml20.Signon.asmx" index="0" isDefault="true" />

Is their expectation that if they do not explicitly list one in the authentication request the IDP should just use the default one from the metadata? Is that something the idp doesn't do, or another issue somewhere making that not work?

Thanks much...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list