Skip to Content.
Sympa Menu

shibboleth-dev - RE: psu problems

Subject: Shibboleth Developers

List archive

RE: psu problems


Chronological Thread 
  • From: Scott Cantor <>
  • To: 'Walter Hoehn' <>,
  • Subject: RE: psu problems
  • Date: Fri, 19 Jul 2002 15:48:30 -0400
  • Importance: Normal
  • Organization: The Ohio State University
> The code in the SAMLSOAPBinding class that populates the sharname
based
> on looking at the client cert is commented out right now. The result
is
> that for every request, no matter what the SHAR, a SHAR of null is
used.

Actually, unless it's broken, it's actually setting the SHAR name to the
hostname of the Resource sent by the SHAR. This was a temp approach,
simply to enable some testing to occur.

> This triggers a fallback to the "default" rule.

I know Parviz and I tested activating some non-default policies by
choosing a different Resource.

> There are a couple of problems here, I think.
> SAMLSOAPBinding needs to populate the sharname, but I am also not
> convinced that it is best for the AA to proceed at this point. It
seems
> better to me to signal an error if the shar name cannot be determind.

By definition, an empty SHAR name basically would mean an
unauthenticated request, which is basically left to policy. One could
send member only, for example.

> As a workaround, I gave psu an arp that adds *.webassign.net to their
> "default" admin arp rule. Their requests to webassign are
> now working, but this is obviously insecure.

It is not intended to be secure at this point. The only real security
that's been added in is in the HS/SHIRE flow. The rest is just skeletal
in alpha-2.

I hope to add proper SHAR authentication shortly for the 2.5 interim.

Additionally, of course, the issues we've discussed about SHARs sending
any old resource to trigger various ARPs come up, so defining
wildcarding better is something that also addresses some security holes.

As far as this webassign issue is concerned, I was under the impression
we were including a default ARP that would apply to *, that is every
request. It sounds like that wasn't doable. Does the ARP design preclude
that?

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--


  • psu problems, Walter Hoehn, 07/19/2002
    • RE: psu problems, Scott Cantor, 07/19/2002

Archive powered by MHonArc 2.6.16.

Top of Page