shibboleth-dev - Re: beta idp difficulty
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: beta idp difficulty
- Date: Wed, 19 Sep 2007 22:29:18 -0400
- Openpgp: id=A260F52E; url=http://pgpkeys.pca.dfn.de/pks/lookup?op=get&search=0x3F5E9E87A260F52E
- Organization: Georgetown University
Looks like you have your two IDs mixed up. The "id" attribute is the ID
of the relying party, the "provider" attribute is what the IdP calls
itself when talking to that relying party.
The lookup of the relying party configuration is based on the loaded
metadata and is metadata group aware. So, if you had a metadata group
of urn:washington.edu you could use that and apply a configuration to
all UWash RPs. Then, if you wanted a specific configuration for
"lost.cac.washington.edu" you could define one for that and the IdP
would use it over the "urn:washington.edu" configuration. The IdP uses
the most specific configuration it can find.
Jim Fox wrote:
>
> Got it. How about the "RP not found?"
>
> Jim
>
> On Sep 19, 2007, at 5:44 PM, Chad La Joie wrote:
>
>> I thought I had a <context>/shibboleth/SSO article listing all the
>> endpoints in the IdP but I guess not. They are:
>>
>> /shibboleth/SSO
>> /saml1/SOAP/AttributeQuery
>> /saml/SOAP/ArtifactResolution
>> /saml2/POST/SSO
>> /saml2/Redirect/SSO
>> /saml2/SOAP/AttributeQuery
>> /saml2/SOAP/ArtifactResolution
>>
>> General format is /<protocol>/<binding>/<profile/operation>
>>
>> Jim Fox wrote:
>>>
>>> I have some config questions.
>>>
>>>
>>> Am using "shibboleth" as the app name in tomcat. And have this
>>>
>>> ProxyPass /shibboleth ajp://localhost:8009/shibboleth
>>>
>>> in apache's config.
>>>
>>> In order to get shib to handle a request I have to use a URL like this:
>>>
>>> https://<hostname>/shibboleth/profile/shibboleth/SSO?rest_of_request.
>>>
>>> Is that expected and correct?
>>>
>>>
>>> I configured an RP with
>>>
>>> <RelyingParty id="urn:washington.edu:fox"
>>> provider="lost.cac.washington.edu">
>>> <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
>>> <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
>>> <ProfileConfiguration
>>> xsi:type="saml:SAML1ArtifactResolutionProfile" />
>>> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
>>> <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
>>> <ProfileConfiguration
>>> xsi:type="saml:SAML2ArtifactResolutionProfile" />
>>> </RelyingParty>
>>>
>>> and got the metadata from our 1.3 idp's metadata file with a
>>> FilesystemMetadataProvider entry pointing to the 1.3 file.
>>>
>>> The idp's log showed it to be configured, with entries like
>>>
>>> .. Attempting to find parser with element name:
>>> {urn:mace:shibboleth:2.0:relying-party}RelyingParty
>>> .. Relying party configuration - relying party id urn:washington.edu:fox
>>> .. Relying party configuration - provider ID: lost.cac.washington.edu
>>> .. Relying party configuration - default authentication method:
>>> urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
>>> .. Relying party configuration - 6 profile configurations
>>> .. Attempting to find parser for element of type:
>>> {urn:mace:shibboleth:2.0:relying-party:saml}ShibbolethSSOProfile
>>> .. Attempting to find parser for element of type:
>>> {urn:mace:shibboleth:2.0:relying-party:saml}SAML1AttributeQueryProfile
>>> .. Attempting to find parser for element of type:
>>> {urn:mace:shibboleth:2.0:relying-party:saml}SAML1ArtifactResolutionProfile
>>>
>>> .. Attempting to find parser for element of type:
>>> {urn:mace:shibboleth:2.0:relying-party:saml}SAML2SSOProfile
>>> .. Attempting to find parser for element of type:
>>> {urn:mace:shibboleth:2.0:relying-party:saml}SAML2AttributeQueryProfile
>>> .. Attempting to find parser for element of type:
>>> {urn:mace:shibboleth:2.0:relying-party:saml}SAML2ArtifactResolutionProfile
>>>
>>>
>>>
>>>
>>> However as soon as I attempt a login I get a "no relying party" error:
>>>
>>> .. Looking up relying party configuration for lost.cac.washington.edu
>>> .. No relying party configuration was registered for
>>> lost.cac.washington.edu looking up configuration based on metadata
>>> groups
>>> .. No relying party configuration found for lost.cac.washington.edu
>>> using default configuration
>>> .. Shibboleth SSO profile is not configured for relying party
>>> lost.cac.washington.edu
>>>
>>>
>>> What RP config am I missing?
>>>
>>> Jim
>>>
>>>
>>> p.s. When tomcat starts I see an error in the idp-process log
>>>
>>> Parse Error at line 812 column 21:
>>> The content of element type "action-mappings" must match "(action)*".
>>>
>>> which seems to be unrelated to shib, but shows up only in the idp's log.
>>>
>>
>> --
>> Chad La Joie 2052-C Harris Bldg
>> OIS-Middleware 202.687.0124
--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124
- beta idp difficulty, Jim Fox, 09/19/2007
- Re: beta idp difficulty, Scott Cantor, 09/19/2007
- Re: beta idp difficulty, Chad La Joie, 09/19/2007
- Re: beta idp difficulty, Jim Fox, 09/19/2007
- Re: beta idp difficulty, Chad La Joie, 09/19/2007
- Beta IDP Authentication, Jeff.Krug, 09/20/2007
- RE: Beta IDP Authentication, Jeff.Krug, 09/20/2007
- Re: Beta IDP Authentication, Will Norris, 09/21/2007
- RE: Beta IDP Authentication, Jim Fox, 09/21/2007
- Re: Beta IDP Authentication, Chad La Joie, 09/21/2007
- RE: Beta IDP Authentication, Jeff.Krug, 09/20/2007
- Re: beta idp difficulty, Jim Fox, 09/19/2007
Archive powered by MHonArc 2.6.16.