Shibboleth Developers

[Walter Hoehn <>]

Hey guys and girls,

I spent some time troubleshooting the problems that psu has been having. 
   The admin arp that comes with alpha-2 is set to allow any SHAR to 
request attributes for any url whose hostname ends in .edu .  Webassign 
does not meet these criteria, so it was getting an assertion with 0 
attributes.

There is a problem currently with the way that arps rules are being 
selected that prevents any arp from being used other than the "no 
matching shar" rule.  The AA depends on the SAMLBinding to tell it which 
SHAR the request is coming from.  It uses this information to decide 
which is the most appropriate arp for the current request.  The code in 
the SAMLSOAPBinding class that populates the sharname based on looking 
at the client cert is commented out right now.  The result is that for 
every request, no matter what the SHAR, a SHAR of null is used.  This 
triggers a fallback to the "default" rule.

There are a couple of problems here, I think.  SAMLSOAPBinding needs to 
populate the sharname, but I am also not convinced that it is best for 
the AA to proceed at this point.  It seems better to me to signal an 
error if the shar name cannot be determind.

As a workaround, I gave psu an arp that adds *.webassign.net to their 
"default" admin arp rule.  Their requests to webassign are now working, 
but this is obviously insecure.

-Walter


--
-------------------------
Walter F. Hoehn, Jr
Systems Programmer
Columbia University - EPIC
-------------------------



------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--