Shibboleth Developers

[Derek Atkins <>]

Hi, all,

I've committed a bunch of thread-safety code for the target.
One of the things I checked in today is code to make the shar
multi-threaded.  Each RPC connection gets its own thread to
respond to calls.

This all seems to work.. HOWEVER..  For some reason I can't get it to
work with the origin at example.edu.  I get an "unable to find a valid
SSO assertion" error.  The logs don't show anything all that
interesting -- certainly nothing that would cause me to think the
assertion is bad.

Scott, this is what was in the SAML log..

-derek

1043885929 DEBUG shibtarget.rpc-server [0] new_session: Trying to accept the 
post
1043885929 DEBUG SAML.SAMLPOSTProfile [0] new_session: accept: decoded 
assertion:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" 
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" 
IssueInstant="2003-01-30T00:16:47Z" MajorVersion="1" MinorVersion="0" 
Recipient="http://localhost/shibboleth/SHIRE"; 
ResponseID="c9ed33d6-2821-489b-8e35-987fd1ae83b1"><ds:Signature 
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></ds:CanonicalizationMethod>
<ds:SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";>
<xfilter2b:XPath xmlns:xfilter2b="http://www.w3.org/2002/06/xmldsig-filter2"; 
Filter="intersect">
here()/ancestor::samlp:Response[1]
</xfilter2b:XPath>
<xfilter2b:XPath xmlns:xfilter2b="http://www.w3.org/2002/06/xmldsig-filter2"; 
Filter="subtract">
here()/ancestor::ds:Signature[1]
</xfilter2b:XPath>
</ds:Transform>
<ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></ds:Transform>
</ds:Transforms>
<ds:DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></ds:DigestMethod>
<ds:DigestValue>uDZHW+weiz5fV2Llb4oZ0hKUKmU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cN0RJ7yBsGSEtxZdGt7JelCBS1Ohc2SkC9wCyqTOIRJkstm38bJKQRh9oR3brP6MfXTg43Oi+Mhs
5DcASDf339g1q6ihWGqoNIWftiRUDOD41/N5dpd55R8rtFKl8lLQuLmC9WXU+py/7x1zdCB8Yp0c
WwSWDvkbsIZ1/Atf3+SKohe/ZZF9sQiSoYABOWHhY25jFYHKk3YNrACilG480skb13XL3qWUTwYY
xUg/+l4esU+JmkCE8/xZI4/Gm/k0PUORHMMbG7cZ/bL3aGA2xJRBIcewdm/2dKfpJZCh4s5SQLci
k7y8zqBBm5zO75GVIozVYt78LEEYKIbTGmymOw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDMjCCApugAwIBAgICAoQwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVTMRIwEAYDVQQI
EwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lz
Y29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYD
VQQDExxIRVBLSSBTZXJ2ZXIgQ0EgLS0gMjAwMjA3MDFBMB4XDTAyMDkyMzAwMjgwMVoXDTA2MTEw
MjAwMjgwMVowcDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRIwEAYDVQQHEwlBbm4g
QXJib3IxDjAMBgNVBAoTBVVDQUlEMQ0wCwYDVQQLEwRNQUNFMRswGQYDVQQDExJ3YXlmLmludGVy
bmV0Mi5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRO0/Up7/PQ9t0AAJq0Ypr
C/CFWonm6c9bYYJvcAdksNohaWwpOEIwqXI2v2IPGbUyqFe5aLQHodkaUU27WgAOswkeXZ7D3WEq
rQJUGsZoFYTTwcwFVnUXk5cWigpbyIXeuoC31ekmbNZDecWj/cs8NbMiFQIKRl9NfF914dcbFXUp
FUjC0XO4PVEEIjxAp19sjCzap3Esz3Iul2M9w0QlNf5wqhxVfwhGsZXcLMaz0UE4Xw9KFK/fCjTV
4Zhy/JEUlZignmwl3T0HMVif9qKHSTbZLtGcsqxUuM+RHq89QuJIFaCSPjEDDPDKpBUWzypFZc0I
tJNn2hkFleVIhhFdAgMBAAGjHTAbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMA0GCSqGSIb3
DQEBBAUAA4GBAGJBTkKSbeAqDdF/guKQ1orjMDOp5Xd4BsAjJo+yEmmG/KlBRPa85bdvdGHBtlaD
2DOgqc/cl+GPb6FG+O6k1XiwxybCTRV+472N/LMh2QDWxkC2eKTTUt1gkt3y9mzmgePBkCZoim2K
xVx2nATdcTukvpZ7gwrhLcJjc7FIZbmd
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><Status><StatusCode 
Value="samlp:Success"></StatusCode></Status><Assertion 
xmlns="urn:oasis:names:tc:SAML:1.0:assertion" 
AssertionID="780e2ab2-8cc1-4e27-83c0-54394533b2f2" 
IssueInstant="2003-01-30T00:16:47Z" Issuer="wayf.internet2.edu" 
MajorVersion="1" MinorVersion="0"><Conditions 
NotBefore="2003-01-30T00:16:47Z" 
NotOnOrAfter="2003-01-30T00:21:47Z"><AudienceRestrictionCondition><Audience>http://middleware.internet2.edu/shibboleth/clubs/clubshib/2002/05/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
 AuthenticationInstant="2003-01-30T00:16:47Z" 
AuthenticationMethod="Basic"><Subject><NameIdentifier 
NameQualifier="example.edu">c688f959-530e-411a-871f-f4ed75a29004</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:Bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
 IPAddress="18.101.1.12"></SubjectLocality><AuthorityBinding 
AuthorityKind="samlp:AttributeQuery" Binding="urn:
 o!
asis:names:tc:SAML:1.0:bindings:SOAP-binding" 
Location="https://wayf.internet2.edu/shibboleth/AA";></AuthorityBinding></AuthenticationStatement></Assertion></Response>
1043885929 DEBUG SAML.XML.ParserPool [0] new_session resolveEntity: asked to 
resolve eduPerson.xsd with baseURI (null)
1043885929 DEBUG SAML.XML.ParserPool [0] new_session resolveEntity: no custom 
resolver, looking in /home/shibboleth/etc/shibboleth/
1043885929 ERROR shibtarget.rpc-server [0] new_session: received SAML 
exception: SAMLPOSTProfile::getSSOAssertion() unable to find a valid SSO 
assertion
1043885929 INFO shibtarget.rpc-server [0] new_session: FAILED: <Status 
xmlns="urn:oasis:names:tc:SAML:1.0:protocol" 
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><StatusCode 
Value="samlp:Responder"/><StatusMessage>SAMLPOSTProfile::getSSOAssertion() 
unable to find a valid SSO assertion</StatusMessage></Status>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       

                        PGP key available

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--