Ex: Re: authnrequest with no ACS info

[Paul B. Henson]

> From: Cantor, Scott <cantor.2 at osu.edu>
> Sent: Thursday, October 27, 2022 4:20 PM
> 
> It's quite unlikely you need to do anything but fix their metadata and correct
> the binding. I doubt they know or care what's going on, and their code is either
> expecting POST or so broken it handles either and won't know the difference.

If you don't make them fix their broken stuff, what happens to the next poor guy that they are broken with who can't figure out why 8-/?

So I updated their metadata in place locally just to see if that would make it work, and ran into the next issue:

2022-10-27 18:14:36,612 - 10.104.223.94/node01v06lsk8qup721i63b799zqy2x610849 - WARN [net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext:425] - Delegation token issuance was requested (required), but disallowed by policy
2022-10-27 18:14:36,613 - 10.104.223.94/node01v06lsk8qup721i63b799zqy2x610849 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidSecurityConfiguration

They are including the idp entity ID in the authentication request as part of the audience, which triggers delegation:

        <saml:AudienceRestriction>
            <saml:Audience>https://idp.cpp.edu/idp/shibboleth</saml:Audience>
            <saml:Audience>https://v2-dev.jdxpert.com/</saml:Audience>
        </saml:AudienceRestriction>

but delegation is disabled by default, and based on my limited understanding that it is intended to provide the remote entity the ability to access resources with the credentials of the identity authenticated, I don't particularly think I want to turn it on for this application :(, which has no business doing so.

So unless I am mistaken, I guess I need to yell at them both about their invalid ACS binding and about their request for a delegated token?

Thanks…