OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

Thanks Brent. Back from vacation and fresh, I tried with the changed URL 
based on your suggestions and I was able to receive the response from 
testshib on my server. Now I will try to run it through the entire logic and 
see how that goes.


- Vish.

> -----Original Message-----
> From: Pantvaidya, Vishwajit 
> [mailto:]
> Sent: Thursday, December 04, 2008 9:12 PM
> To: 
> 
> Subject: RE: [OpenSAML] Testing SAML relying party browser post profile
>
>
>
> > -----Original Message-----
> > From: Brent Putman 
> > [mailto:]
> > Sent: Wednesday, December 03, 2008 8:44 PM
> >
> > I'd suggest getting rid of all but one of those, just to avoid
> > confusion.  I think you can delete your own entries via the "Edit"
>
> [Pantvaidya, Vishwajit] I deleted the 2 TestShib2 profiles.
>
> >
> > Pantvaidya, Vishwajit wrote:
> > > Thanks. Based on this, I tried the following browser requests:
> > >
> > >
> >
> https://idp.testshib.org/idp/profile/Shibboleth/SSO?providerId=https%3A%2F
> >
> %2Fvishsjlaptop.selectica.com%2Fshibboleth%2Ftestshib%2Fsp&shire=http%3A%2
> > F%2Fvishsjlaptop.selectica.com&target=login.jsp
> > > (i.e.
> > providerId=https://vishsjlaptop.selectica.com/shibboleth/testshib/sp,
> > shire=http://vishsjlaptop.selectica.com/, target=login.jsp)
> > >
> >
> > Yeah, your shire parameter there isn't correct, or at least doesn't jibe
> > with metadata.  That should:
> > 1) be the endpoint to which the POST profile will post the SAML
> > response.  Don't know what that is in your app.  Maybe
> > http://vishsjlaptop.selectica.com/ is correct, but that looks a little
> > suspect.  Probably should be a explicit path there.
>
> [Pantvaidya, Vishwajit] The endpoint is correct - that's where my Sp is
> available. I think I have forgotten the login.jsp at the end. I will add
> that.
>
> > 2) it needs to match one of the AssertionConsumerService endpoints for
> > the Browser POST binding in your metadata entry.  Find the effective
> > metadata entry that you are using (easier if you get rid of all but one
> > of them) and in your EntityDescriptor/AssertionConsumerService entries'
> > Location attribute, make sure they match your SP implementation's
> > endpoint.  The default values that are generated are for a Shibboleth
> > SP, certainly not the same as your SP.  Here's what one of your entries
> > has, for example
> >
> >
> >             <md:AssertionConsumerService
> >                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-
> > post"
> >
> > Location="https://vishsjlaptop.selectica.com/Shibboleth.sso/SAML/POST";
> > index="6"/>
> >             <md:AssertionConsumerService
> >                 Binding="urn:oasis:names:tc:SAML:1.1:profiles:browser-
> > post"
> >
> > Location="http://vishsjlaptop.selectica.com/Shibboleth.sso/SAML/POST";
> > index="7"/>
> >
>
> [Pantvaidya, Vishwajit] Didn't know that testshib adds that at the end.
> Thanks. I will edit that to match my SP. Will let you know how that goes.