shibboleth-dev - current status, and one issue
Subject: Shibboleth Developers
List archive
- From: Derek Atkins <>
- To:
- Subject: current status, and one issue
- Date: 29 Jan 2003 19:55:40 -0500
Hi, all,
I've committed a bunch of thread-safety code for the target.
One of the things I checked in today is code to make the shar
multi-threaded. Each RPC connection gets its own thread to
respond to calls.
This all seems to work.. HOWEVER.. For some reason I can't get it to
work with the origin at example.edu. I get an "unable to find a valid
SSO assertion" error. The logs don't show anything all that
interesting -- certainly nothing that would cause me to think the
assertion is bad.
Scott, this is what was in the SAML log..
-derek
1043885929 DEBUG shibtarget.rpc-server [0] new_session: Trying to accept the
post
1043885929 DEBUG SAML.SAMLPOSTProfile [0] new_session: accept: decoded
assertion:
<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2003-01-30T00:16:47Z" MajorVersion="1" MinorVersion="0"
Recipient="http://localhost/shibboleth/SHIRE"
ResponseID="c9ed33d6-2821-489b-8e35-987fd1ae83b1"><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<xfilter2b:XPath xmlns:xfilter2b="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="intersect">
here()/ancestor::samlp:Response[1]
</xfilter2b:XPath>
<xfilter2b:XPath xmlns:xfilter2b="http://www.w3.org/2002/06/xmldsig-filter2"
Filter="subtract">
here()/ancestor::ds:Signature[1]
</xfilter2b:XPath>
</ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>uDZHW+weiz5fV2Llb4oZ0hKUKmU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cN0RJ7yBsGSEtxZdGt7JelCBS1Ohc2SkC9wCyqTOIRJkstm38bJKQRh9oR3brP6MfXTg43Oi+Mhs
5DcASDf339g1q6ihWGqoNIWftiRUDOD41/N5dpd55R8rtFKl8lLQuLmC9WXU+py/7x1zdCB8Yp0c
WwSWDvkbsIZ1/Atf3+SKohe/ZZF9sQiSoYABOWHhY25jFYHKk3YNrACilG480skb13XL3qWUTwYY
xUg/+l4esU+JmkCE8/xZI4/Gm/k0PUORHMMbG7cZ/bL3aGA2xJRBIcewdm/2dKfpJZCh4s5SQLci
k7y8zqBBm5zO75GVIozVYt78LEEYKIbTGmymOw==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDMjCCApugAwIBAgICAoQwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVTMRIwEAYDVQQI
EwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lz
Y29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYD
VQQDExxIRVBLSSBTZXJ2ZXIgQ0EgLS0gMjAwMjA3MDFBMB4XDTAyMDkyMzAwMjgwMVoXDTA2MTEw
MjAwMjgwMVowcDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRIwEAYDVQQHEwlBbm4g
QXJib3IxDjAMBgNVBAoTBVVDQUlEMQ0wCwYDVQQLEwRNQUNFMRswGQYDVQQDExJ3YXlmLmludGVy
bmV0Mi5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRO0/Up7/PQ9t0AAJq0Ypr
C/CFWonm6c9bYYJvcAdksNohaWwpOEIwqXI2v2IPGbUyqFe5aLQHodkaUU27WgAOswkeXZ7D3WEq
rQJUGsZoFYTTwcwFVnUXk5cWigpbyIXeuoC31ekmbNZDecWj/cs8NbMiFQIKRl9NfF914dcbFXUp
FUjC0XO4PVEEIjxAp19sjCzap3Esz3Iul2M9w0QlNf5wqhxVfwhGsZXcLMaz0UE4Xw9KFK/fCjTV
4Zhy/JEUlZignmwl3T0HMVif9qKHSTbZLtGcsqxUuM+RHq89QuJIFaCSPjEDDPDKpBUWzypFZc0I
tJNn2hkFleVIhhFdAgMBAAGjHTAbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMA0GCSqGSIb3
DQEBBAUAA4GBAGJBTkKSbeAqDdF/guKQ1orjMDOp5Xd4BsAjJo+yEmmG/KlBRPa85bdvdGHBtlaD
2DOgqc/cl+GPb6FG+O6k1XiwxybCTRV+472N/LMh2QDWxkC2eKTTUt1gkt3y9mzmgePBkCZoim2K
xVx2nATdcTukvpZ7gwrhLcJjc7FIZbmd
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature><Status><StatusCode
Value="samlp:Success"></StatusCode></Status><Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="780e2ab2-8cc1-4e27-83c0-54394533b2f2"
IssueInstant="2003-01-30T00:16:47Z" Issuer="wayf.internet2.edu"
MajorVersion="1" MinorVersion="0"><Conditions
NotBefore="2003-01-30T00:16:47Z"
NotOnOrAfter="2003-01-30T00:21:47Z"><AudienceRestrictionCondition><Audience>http://middleware.internet2.edu/shibboleth/clubs/clubshib/2002/05/</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement
AuthenticationInstant="2003-01-30T00:16:47Z"
AuthenticationMethod="Basic"><Subject><NameIdentifier
NameQualifier="example.edu">c688f959-530e-411a-871f-f4ed75a29004</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:Bearer</ConfirmationMethod></SubjectConfirmation></Subject><SubjectLocality
IPAddress="18.101.1.12"></SubjectLocality><AuthorityBinding
AuthorityKind="samlp:AttributeQuery" Binding="urn:
o!
asis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://wayf.internet2.edu/shibboleth/AA"></AuthorityBinding></AuthenticationStatement></Assertion></Response>
1043885929 DEBUG SAML.XML.ParserPool [0] new_session resolveEntity: asked to
resolve eduPerson.xsd with baseURI (null)
1043885929 DEBUG SAML.XML.ParserPool [0] new_session resolveEntity: no custom
resolver, looking in /home/shibboleth/etc/shibboleth/
1043885929 ERROR shibtarget.rpc-server [0] new_session: received SAML
exception: SAMLPOSTProfile::getSSOAssertion() unable to find a valid SSO
assertion
1043885929 INFO shibtarget.rpc-server [0] new_session: FAILED: <Status
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"><StatusCode
Value="samlp:Responder"/><StatusMessage>SAMLPOSTProfile::getSSOAssertion()
unable to find a valid SSO assertion</StatusMessage></Status>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
PGP key available
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- current status, and one issue, Derek Atkins, 01/29/2003
- RE: current status, and one issue, Scott Cantor, 01/29/2003
- Re: current status, and one issue, Derek Atkins, 01/29/2003
- RE: current status, and one issue, Scott Cantor, 01/29/2003
- Re: current status, and one issue, Derek Atkins, 01/29/2003
- RE: current status, and one issue, Scott Cantor, 01/29/2003
- Re: current status, and one issue, Derek Atkins, 01/29/2003
- RE: current status, and one issue, Scott Cantor, 01/29/2003
Archive powered by MHonArc 2.6.16.