shibboleth-dev - RE: Questions about shibboleth
Subject: Shibboleth Developers
List archive
- From: Eliot Pearson <>
- To: "''" <>
- Subject: RE: Questions about shibboleth
- Date: Mon, 24 Sep 2007 07:53:40 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
Hello all,
Scott, thanks for you reply. I decided to try the following: connecting a
ADFS account partner with a Shibboleth Service Provider. Also, I am using
ADFS for my realm discovery. I am running into the following problem.
The native.log file contain this error:
2007-09-24 07:40:53 DEBUG shibtarget.RequestMapper [3744] shib_handler:
mapped https://dev-boproto01.stage.root:443/ to default
2007-09-24 07:41:03 DEBUG shibtarget.RequestMapper [3744] shib_check_user:
mapped https://dev-boproto01.stage.root:443/secure/ to default
2007-09-24 07:41:17 DEBUG shibtarget.RequestMapper [3744] shib_handler:
mapped https://dev-boproto01.stage.root:443/Shibboleth.sso/ADFS/ to default
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting
errorType -> SAMLException
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting
errorText -> Shibboleth handler invoked at an unconfigured location.
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting
errorType -> Shibboleth Handler Error
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting
requestURL -> https://dev-boproto01.stage.root/Shibboleth.sso/ADFS/
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: processing
stream
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting
now -> Mon Sep 24 07:41:17 2007
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: Processing
string
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting
now -> Mon Sep 24 07:41:17 2007
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: Processing
string
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting
now -> Mon Sep 24 07:41:17 2007
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: Processing
string
2007-09-24 07:41:17 DEBUG shibtarget.RequestMapper [3744] shib_handler:
mapped https://dev-boproto01.stage.root:443/shibboleth-sp/main.css to default
2007-09-24 07:41:17 DEBUG shibtarget.RequestMapper [3744] shib_handler:
mapped https://dev-boproto01.stage.root:443/shibboleth-sp/logo.jpg to default
This happens after I go to https://dev-proto01.stage.root/secure. First, I
am forwarded to a login page for ADFS. I login successfully but then I hit a
page with this message, "Session Creation Failure." Has anyone ran into this
problem? Also, does anyone else have any experience with the type of pairing
above.
Thanks,
Eliot
-----Original Message-----
From: Scott Cantor
[mailto:]
Sent: Thursday, September 13, 2007 2:41 PM
To:
Subject: RE: Questions about shibboleth
> 1. Is there a developer's guide/resource available. After shibboleth
> is setup, how can a developer leverage it in existing java based
> applications?
Generally, you don't. Write your application to obtain attribute information
from REMOTE_USER or other headers using names you're comfortable with, and
that's it.
If you don't want to or can't rely on the software for session management,
isolate the app parts that involve authentication UI and invoking it to the
edges and you can glue it to Shibboleth using some simple redirects.
The goal is not to tie your application to Shibboleth, to the extent that
it's possible to avoid it. We don't want to lock you in.
> 2. Can I have shibboleth and adfs in the same federation? I have seen
> examples of shibboleth and adfs interoperate, but never in the same
> federation.
There's no such thing as a federation to the software, so the answer is not a
technical one. If your federation is supplying all of your metadata, then
it's up to the federation to supply metadata advertising ADFS support. If it
doesn't, then you'd be on your own to support and deploy it.
Discovery complicates any multi-protocol deployment, and if you hand off
control to a WAYF, you're done, unless you change it to support ADFS and/or
handle protocol translation.
The 1.3 SP has rudimentary capabilities to handle protocol selection, but
works better if the IdP in question only supports one or the other. The 2.0
SP will have a somewhat more flexible protocol precedence mechanism, but it
still can't deal with discovery by itself.
> 3. In the end I would like to accomplish the following: login into a
> shibboleth aware application and then try to use a adfs based
> application without having to log back in (and vice-versa). Is this
> possible? If so, is there a document I can walkthrough to figure this out?
That's not even a Shibboleth issue, it's a "how you do authentication"
issue. SSO in 1.3 is a function of the login mechanism, not the IdP or which
protocol you use later.
-- Scott
The information transmitted in this email is intended only for the person(s)
or entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this email in error, please contact the sender and permanently delete the
email from any computer.
- Questions about shibboleth, epearson, 09/13/2007
- RE: Questions about shibboleth, Scott Cantor, 09/13/2007
- RE: Questions about shibboleth, Eliot Pearson, 09/24/2007
- RE: Questions about shibboleth, Scott Cantor, 09/25/2007
- RE: Questions about shibboleth, Eliot Pearson, 09/24/2007
- RE: Questions about shibboleth, Scott Cantor, 09/13/2007
Archive powered by MHonArc 2.6.16.