<html><body><div style="color:#000; background-color:#fff; font-family:arial, helvetica, sans-serif;font-size:12pt"><div><span>From the IDp:</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: arial, helvetica, sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: arial, helvetica, sans-serif; background-color: transparent; font-style: normal;"><span><span style="color: rgb(31, 73, 125); font-family: Calibri, sans-serif; font-size: 14.857142448425293px;">Hi Mike, we don’t actually use OIF for Learn. The Learn product has its own SAML solution, unrelated to OIF, and it’s only IDP-initiated.</span><br></span></div><div><br></div> <div style="font-family: arial, helvetica, sans-serif; font-size: 12pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Mike Flynn <shibbolethlynda@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Shib Users <users@shibboleth.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, February 7, 2013 10:01 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: IdP initiated SSO<br> </font> </div> <br>
<div id="yiv570482358"><div><div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: arial, helvetica, sans-serif; font-size: 12pt;"><div><span>It's Oracle corporation doing this... I will ask about the version. There is no relaystate in the assertion.</span></div><div><br></div> <div style="font-family: arial, helvetica, sans-serif; font-size: 12pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Marc Boorshtein <mboorshtein@gmail.com><br> <b><span style="font-weight:bold;">To:</span></b> Shib Users <users@shibboleth.net> <br> <b><span style="font-weight:bold;">Sent:</span></b> Thursday, February 7, 2013 9:58 AM<br> <b><span style="font-weight:bold;">Subject:</span></b> Re: IdP initiated SSO<br> </font> </div> <br>
What version of OIF are they using? I've done several OIF deployments<br>and I've never heard of an OIF server that can't do SP initiated when<br>they're the IdP.Is there a RelayState parameter in the post?<br><br>Marc<br><br>On Thu, Feb 7, 2013 at 12:47 PM, Mike Flynn <<a rel="nofollow" ymailto="mailto:shibbolethlynda@yahoo.com" target="_blank" href="mailto:shibbolethlynda@yahoo.com">shibbolethlynda@yahoo.com</a>> wrote:<br>> I have a private fed trying to integrate to my Shib system. They are<br>> running Oracle as the IdP and claim they cannot support SP initiated SSO.<br>> All of the Idps that I integrate with all use SP initiated. I assume that<br>> all they should need to do is POST an assertion to my endpoint here:<br>><br>> <md:AssertionConsumerService<br>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"<br>> Location="http://shib.lynda.com/Shibboleth.sso/SAML2/POST"
index="1"/><br>><br>>
They do that and get a 500 error on my servers and my logs show nothing.<br>> The assertion they sent is this:<br>><br>> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"<br>> Destination="<a rel="nofollow" target="_blank" href="https://shib.lynda.com/Shibboleth.sso/SAML2/POST">https://shib.lynda.com/Shibboleth.sso/SAML2/POST</a>"<br>> ID="uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45" InResponseTo=""<br>> IssueInstant="2013-02-07T17:05:41Z"Version="2.0"><br>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><br>> <SignedInfo><br>> <CanonicalizationMethod<br>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><br>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><br>> <Reference URI="#uuid-DFB29937-C47F-4DD0-81EC-FF6579E8AC45"><br>> <Transforms><br>> <Transform<br>>
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><br>> <Transform Algorithm="<a rel="nofollow" target="_blank" href="http://www.w3.org/2001/10/xml-exc-c14n#">http://www.w3.org/2001/10/xml-exc-c14n#</a>"/><br>> </Transforms><br>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><br>> <DigestValue>C1fVRAnlLEWmsWgb4wKTpEEh84s=</DigestValue><br>> </Reference><br>> </SignedInfo><br>> <SignatureValue><br>> NRfFI3Aj4B8Erl2UFFToEyHhd3CCOXKhklIALutt+3MzuZR5H33uU2G4DpQCGlpHv+uTe2ejwiz+CUbP1CcsP0+U4KXMevp+60XS7HDW240fayX7sNpvipdW4ZCkTC387VNDPk3G2H6dNpkiosvkfLQc1aBQfjADgh/NWcBRvf/79ht2TSMm/ccl2VL8HngRBEkRRz146uW4XqLuzWWlWctv3GF//I6kqumLBuirUS9E39YxUopiPgqU5zpBp1vZWPiVUi5sYQ9nYZMz+ZfxW9trd1rcVPudsOaQzSHHiLz7FkH6KVywuzRC18KzaHQW0ljhVPbm3oZxNW8JyNrcqg==<br>> </SignatureValue><br>> </Signature><br>> <samlp:Status><br>>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><br>> </samlp:Status><br>> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"<br>> ID="uuid-1323F186-A065-4588-B5C4-37B12E3BEC95"<br>> IssueInstant="2013-02-07T17:05:41Z" Version="2.0"><br>> <saml:Issuer><a rel="nofollow" target="_blank" href="http://sapient.learn.com/">http://sapient.learn.com</a></saml:Issuer><br>> <saml:Subject><br>> <saml:NameID>LEARNSUPPORT</saml:NameID><br>> </saml:Subject><br>> <saml:Conditions NotBefore="2013-02-07T17:04:41Z"<br>> NotOnOrAfter="2013-02-07T17:10:41Z"><br>> <saml:AudienceRestriction/><br>> </saml:Conditions><br>> <saml:AuthnStatement AuthnInstant="2013-02-07T17:05:41Z"<br>> SessionNotOnOrAfter=""><br>> <saml:AuthnContext><br>> <saml:AuthnContextClassRef><br>>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<br>> </saml:AuthnContextClassRef><br>> </saml:AuthnContext><br>> </saml:AuthnStatement><br>> <saml:AttributeStatement><br>> <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eppn"><br>> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:2.5.4.3" FriendlyName="uid"><br>> <saml:AttributeValue>LEARNSUPPORT</saml:AttributeValue><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:2.5.4.4" FriendlyName="sn"><br>> <saml:AttributeValue>Support</saml:AttributeValue><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:2.5.4.7" FriendlyName="l"><br>> <saml:AttributeValue/><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:2.5.4.42"
FriendlyName="givenName"><br>> <saml:AttributeValue>Learn</saml:AttributeValue><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"<br>> FriendlyName="mail"><br>> <saml:AttributeValue><a rel="nofollow" ymailto="mailto:CJohnson@Taleo.Com" target="_blank" href="mailto:CJohnson@Taleo.Com">CJohnson@Taleo.Com</a></saml:AttributeValue><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:2.5.4.101" FriendlyName="C"><br>> <saml:AttributeValue/><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:2.5.4.102" FriendlyName="UO"><br>> <saml:AttributeValue/><br>> </saml:Attribute><br>> <saml:Attribute Name="urn:oid:2.5.4.103" FriendlyName="Department"><br>> <saml:AttributeValue/><br>> </saml:Attribute><br>> </saml:AttributeStatement><br>> </saml:Assertion><br>>
</samlp:Response><br>><br>> Are my assumptions correct regarding POST to my endpoint as detailed above?<br>> Can anyone see an issue regarding the data in the assertion above? They<br>> asked about RelayState but that is only valid for SP initiated, correct?<br>><br>> --<br>> To unsubscribe from this list send an email to<br>> <a rel="nofollow" ymailto="mailto:users-unsubscribe@shibboleth.net" target="_blank" href="mailto:users-unsubscribe@shibboleth.net">users-unsubscribe@shibboleth.net</a><br>--<br>To unsubscribe from this list send an email to <a rel="nofollow" ymailto="mailto:users-unsubscribe@shibboleth.net" target="_blank" href="mailto:users-unsubscribe@shibboleth.net">users-unsubscribe@shibboleth.net</a><br><br><br> </div> </div> </div></div></div><br>--<br>To unsubscribe from this list send an email to <a ymailto="mailto:users-unsubscribe@shibboleth.net"
href="mailto:users-unsubscribe@shibboleth.net">users-unsubscribe@shibboleth.net</a><br><br> </div> </div> </div></body></html>