Shibboleth Developers

[Eliot Pearson <>]

Hello all,

Scott, thanks for you reply.  I decided to try the following: connecting a 
ADFS account partner with a Shibboleth Service Provider.  Also, I am using 
ADFS for my realm discovery.  I am running into the following problem.

The native.log file contain this error:

2007-09-24 07:40:53 DEBUG shibtarget.RequestMapper [3744] shib_handler: 
mapped https://dev-boproto01.stage.root:443/ to default
2007-09-24 07:41:03 DEBUG shibtarget.RequestMapper [3744] shib_check_user: 
mapped https://dev-boproto01.stage.root:443/secure/ to default
2007-09-24 07:41:17 DEBUG shibtarget.RequestMapper [3744] shib_handler: 
mapped https://dev-boproto01.stage.root:443/Shibboleth.sso/ADFS/ to default
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting 
errorType -> SAMLException
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting 
errorText -> Shibboleth handler invoked at an unconfigured location.
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting 
errorType -> Shibboleth Handler Error
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting 
requestURL -> https://dev-boproto01.stage.root/Shibboleth.sso/ADFS/
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: processing 
stream
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting 
now -> Mon Sep 24 07:41:17 2007

2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: Processing 
string
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting 
now -> Mon Sep 24 07:41:17 2007

2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: Processing 
string
2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: inserting 
now -> Mon Sep 24 07:41:17 2007

2007-09-24 07:41:17 DEBUG shibtarget.ShibMLP [3744] shib_handler: Processing 
string
2007-09-24 07:41:17 DEBUG shibtarget.RequestMapper [3744] shib_handler: 
mapped https://dev-boproto01.stage.root:443/shibboleth-sp/main.css to default
2007-09-24 07:41:17 DEBUG shibtarget.RequestMapper [3744] shib_handler: 
mapped https://dev-boproto01.stage.root:443/shibboleth-sp/logo.jpg to default

This happens after I go to https://dev-proto01.stage.root/secure.  First, I 
am forwarded to a login page for ADFS.  I login successfully but then I hit a 
page with this message, "Session Creation Failure."  Has anyone ran into this 
problem?  Also, does anyone else have any experience with the type of pairing 
above.

Thanks,
Eliot

-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Thursday, September 13, 2007 2:41 PM
To: 

Subject: RE: Questions about shibboleth

> 1. Is there a developer's guide/resource available.  After shibboleth
> is setup, how can a developer leverage it in existing java based
> applications?

Generally, you don't. Write your application to obtain attribute information 
from REMOTE_USER or other headers using names you're comfortable with, and 
that's it.

If you don't want to or can't rely on the software for session management, 
isolate the app parts that involve authentication UI and invoking it to the 
edges and you can glue it to Shibboleth using some simple redirects.

The goal is not to tie your application to Shibboleth, to the extent that 
it's possible to avoid it. We don't want to lock you in.

> 2. Can I have shibboleth and adfs in the same federation?  I have seen
> examples of shibboleth and adfs interoperate, but never in the same
> federation.

There's no such thing as a federation to the software, so the answer is not a 
technical one. If your federation is supplying all of your metadata, then 
it's up to the federation to supply metadata advertising ADFS support. If it 
doesn't, then you'd be on your own to support and deploy it.

Discovery complicates any multi-protocol deployment, and if you hand off 
control to a WAYF, you're done, unless you change it to support ADFS and/or 
handle protocol translation.

The 1.3 SP has rudimentary capabilities to handle protocol selection, but 
works better if the IdP in question only supports one or the other. The 2.0 
SP will have a somewhat more flexible protocol precedence mechanism, but it 
still can't deal with discovery by itself.

> 3. In the end I would like to accomplish the following: login into a
> shibboleth aware application and then try to use a adfs based
> application without having to log back in (and vice-versa).  Is this
> possible?  If so, is there a document I can walkthrough to figure this out?

That's not even a Shibboleth issue, it's a "how you do authentication"
issue. SSO in 1.3 is a function of the login mechanism, not the IdP or which 
protocol you use later.

-- Scott



The information transmitted in this email is intended only for the person(s) 
or entity to which it is addressed and may contain confidential and/or 
privileged material. Any review, retransmission, dissemination or other use 
of, or taking of any action in reliance upon, this information by persons or 
entities other than the intended recipient is prohibited. If you received 
this email in error, please contact the sender and permanently delete the 
email from any computer.