Skip to Content.
Sympa Menu

shibboleth-dev - MySQL shared cache and ADFS

Subject: Shibboleth Developers

List archive

MySQL shared cache and ADFS


Chronological Thread 
  • From: giacomo tenaglia <>
  • To:
  • Subject: MySQL shared cache and ADFS
  • Date: Thu, 22 Nov 2007 16:00:57 +0100

Hi,
I'm trying to interface a load balanced SP with ADFS. I've set up a
shared remote MySQL session cache using the patch from Stanford.
The cache works well with a Shibboleth IdP, but doesn't with ADFS, I got
this error:

-----------------------------------------------------------------------
2007-11-22 15:26:48 DEBUG shibtarget.SessionCache [0] sessionGet find:
searching memory cache for key (_f2743292e6c10fda9f63da38657060bf)
2007-11-22 15:26:48 DEBUG shibtarget.SessionCache [0] sessionGet find: No
match found
2007-11-22 15:26:48 DEBUG shibmysql.SessionCache [0] sessionGet find: Looking
in database...
2007-11-22 15:26:48 DEBUG shibmysql.SessionCache [0] sessionGet find: Match
found. Parsing...
2007-11-22 15:26:48 CRIT shibmysql.SessionCache [0] sessionGet find: no
matching IdP role for profile (32) found for identity provider
(https://cern.ch/login) responsible for the session.
2007-11-22 15:26:48 DEBUG shibtarget.Listener [0] sessionGet: session not
found
-----------------------------------------------------------------------

I looked in the source code, and found out that it searches for a role
matching SAML profiles only, (32 is ADFS_SSO profile):

-----------------------------------------------------------------------
const IRoleDescriptor* role=NULL;
if (profile==SAML11_POST || profile==SAML11_ARTIFACT)
role=provider->getIDPSSODescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
else if (profile==SAML10_POST || profile==SAML10_ARTIFACT)
role=provider->getIDPSSODescriptor(saml::XML::SAML10_PROTOCOL_ENUM);
if (!role) {
log->crit(
"no matching IdP role for profile (%s) found for identity
provider (%s) responsible for the session.", row[4], row[5]
);
mysql_free_result(rows);
return NULL;
}
-----------------------------------------------------------------------

So I've looked at the adfs code, and found out that maybe adding another
check like that:

-----------------------------------------------------------------------
else if (profile==ADFS_SSO)
role=entity->getIDPSSODescriptor(adfs::XML::WSFED_NS);
-----------------------------------------------------------------------

can work. What I don't know is if I have to change other things in the
cache code.. do you have any idea?

Thanks,
giacomo

--
giacomo tenaglia
Technical Student at CERN IT/DES-SIS
Phone +41 76 5003376 -
sip:



Archive powered by MHonArc 2.6.16.

Top of Page