Skip to Content.
Sympa Menu

shibboleth-dev - RE: Finding the AA from an assertion

Subject: Shibboleth Developers

List archive

RE: Finding the AA from an assertion


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: "'Chris Zagar'" <>
  • Cc: <>
  • Subject: RE: Finding the AA from an assertion
  • Date: Wed, 22 Sep 2004 10:22:55 -0400
  • Organization: The Ohio State University

CC'ing shib-dev list...

> From something you said last week, I had the impression that the right way

> to match up an assertion to the AA was to take look at the Assertion
> element's Issuer attribute (e.g. urn:mace:inqueue:osu.edu).
> I made the leap that this should be cross-reference to find an
> OriginSite whose Name attribute matched that value. Seemed good, but...

That's correct going forward.

> I now have GSU testing, and I suspect they are using a 1.1 IdP. For
> them, the Issuer came up like art12.gsu.edu. That cross-references neatly

> to the AttributeAuthority element's Name attribute.

1.1 does a few strange things. But with 1.1, you also get the AA location
inline inside the assertion too.

What I do is check Issuer and look for a metadata match to establish the
rules to follow. If that fails, I try NameQualifier because that's what 1.1
did. It's a legacy hack, basically. There are a couple additional things
that end up using NameQualifier for historical reasons that need to be
changed.

When I do the AA query, I look for AuthorityBinding elements in the
assertion and use them first, and then use metadata to locate the AA. A 1.2
IdP will not include the AuthorityBinding element when talking to a 1.2 SP
(it can tell the difference because 1.2 SP's include a providerId parameter
in their URL request).

You should probably at least consider whether to bother hacking in support
for 1.1. We really need people to get off it so we can get rid of all this
legacy code, but we're not forcing people to upgrade. It wouldn't be
entirely unreasonable to require 1.2 for your application.

> If there is a document that details the subtleties of this
> bit, just point me in that direction.

There's a protocol spec posted on the web site that entirely replaces the
old architecture document. It is not 100% correct yet, I'm working on a
second draft now. But it is close. Certainly much closer than anything else
is. It specifies use of Issuer, our custom NameIdentifier format, the
AuthnRequest URL syntax, and various other details.

> Finally, do you want to see questions like this on shibboleth-dev,
> somewhere else, or just to you?

You can use shibboleth-dev.

-- Scott



  • RE: Finding the AA from an assertion, Scott Cantor, 09/22/2004

Archive powered by MHonArc 2.6.16.

Top of Page