shibboleth-dev - MySQL shared cache and ADFS
Subject: Shibboleth Developers
List archive
- From: giacomo tenaglia <>
- To:
- Subject: MySQL shared cache and ADFS
- Date: Thu, 22 Nov 2007 16:00:57 +0100
Hi,
I'm trying to interface a load balanced SP with ADFS. I've set up a
shared remote MySQL session cache using the patch from Stanford.
The cache works well with a Shibboleth IdP, but doesn't with ADFS, I got
this error:
-----------------------------------------------------------------------
2007-11-22 15:26:48 DEBUG shibtarget.SessionCache [0] sessionGet find:
searching memory cache for key (_f2743292e6c10fda9f63da38657060bf)
2007-11-22 15:26:48 DEBUG shibtarget.SessionCache [0] sessionGet find: No
match found
2007-11-22 15:26:48 DEBUG shibmysql.SessionCache [0] sessionGet find: Looking
in database...
2007-11-22 15:26:48 DEBUG shibmysql.SessionCache [0] sessionGet find: Match
found. Parsing...
2007-11-22 15:26:48 CRIT shibmysql.SessionCache [0] sessionGet find: no
matching IdP role for profile (32) found for identity provider
(https://cern.ch/login) responsible for the session.
2007-11-22 15:26:48 DEBUG shibtarget.Listener [0] sessionGet: session not
found
-----------------------------------------------------------------------
I looked in the source code, and found out that it searches for a role
matching SAML profiles only, (32 is ADFS_SSO profile):
-----------------------------------------------------------------------
const IRoleDescriptor* role=NULL;
if (profile==SAML11_POST || profile==SAML11_ARTIFACT)
role=provider->getIDPSSODescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
else if (profile==SAML10_POST || profile==SAML10_ARTIFACT)
role=provider->getIDPSSODescriptor(saml::XML::SAML10_PROTOCOL_ENUM);
if (!role) {
log->crit(
"no matching IdP role for profile (%s) found for identity
provider (%s) responsible for the session.", row[4], row[5]
);
mysql_free_result(rows);
return NULL;
}
-----------------------------------------------------------------------
So I've looked at the adfs code, and found out that maybe adding another
check like that:
-----------------------------------------------------------------------
else if (profile==ADFS_SSO)
role=entity->getIDPSSODescriptor(adfs::XML::WSFED_NS);
-----------------------------------------------------------------------
can work. What I don't know is if I have to change other things in the
cache code.. do you have any idea?
Thanks,
giacomo
--
giacomo tenaglia
Technical Student at CERN IT/DES-SIS
Phone +41 76 5003376 -
sip:
- MySQL shared cache and ADFS, giacomo tenaglia, 11/22/2007
- Re: MySQL shared cache and ADFS, Scott Cantor, 11/22/2007
Archive powered by MHonArc 2.6.16.