shibboleth-dev - RE: SP 1.3 Java <-> IdP 1.1 interop problem?
Subject: Shibboleth Developers
List archive
- From: "Howard Gilbert" <>
- To: "'Valery Tschopp'" <>, <>
- Subject: RE: SP 1.3 Java <-> IdP 1.1 interop problem?
- Date: Wed, 22 Jun 2005 15:05:22 -0400
[Nothing in this message should be viewed as a promise the make a 1.1 IdP
work with the Java SP. However, if it was working and stopped, we must
already be pretty close and I don't intend to do anything to break it
either, and if I can make it work that would be great.]
First the easy part:
> HTTP Status 404 - /shibboleth-sp/Shibboleth.sso/SAML/shireError.html
There is a bug generating the Redirect to the error pages. It is looking in
the wrong place. I will fix it. However, the real problem is the error that
is causing the attempt to display the error page.
> In the catalina.out log file where is an OpenSAML ERROR about the
> Audience (see attached log file):
>
> ...
> 18:01 WARN Metadata.lookup failed to resolve Entity maunakea.switch.ch
> 18:01 DEBUG Metadata.lookup resolved Entity
> urn:mace:switch.ch:SWITCHaai:pilot:aaitest.switch.ch
> 18:01 ERROR Authentication Assertion had invalid format:
> org.opensaml.SAMLException: Assertion restricted to other audiences.
If you look in the log file, you find the following element in the
Assertion:
<AudienceRestrictionCondition><Audience>urn:mace:switch.ch:SWITCHaai:pilot</
Audience></AudienceRestrictionCondition>
This corresponds to a configuration element in the xp.switchaai.xml of the
form:
<!--
Zero or more SAML Audience condition matches (mainly for Shib 1.1
compatibility).
If you get "policy mismatch errors, you probably need to supply metadata
about
your SP to the IdP if it's running 1.2. Adding an element here is only a
partial fix.
-->
<saml:Audience>urn:mace:switch.ch:SWITCHaai:pilot</saml:Audience>
I do not currently add this value to the test of the
AudienceRestrictionCondition. I did not understand its significance, and
there was enough qualification in the comment that it scared me away.
I will find this element in the SP configuration and allow the assertion to
go through if it matches. That may solve the problem, or it may just expose
the next issue.
If this was working with last weeks code it is because Scott removed the
audience test from SAML and left me a TODO to add it back into the
AssertionConsumer. Last weekend I worked through a bunch of TODOs and added
it back in.
- SP 1.3 Java <-> IdP 1.1 interop problem?, Valery Tschopp, 06/22/2005
- RE: SP 1.3 Java <-> IdP 1.1 interop problem?, Scott Cantor, 06/22/2005
- RE: SP 1.3 Java <-> IdP 1.1 interop problem?, Howard Gilbert, 06/22/2005
- RE: SP 1.3 Java <-> IdP 1.1 interop problem?, Scott Cantor, 06/22/2005
Archive powered by MHonArc 2.6.16.