shibboleth-dev - Re: Still getting Error with SAML 2.0 binding
Subject: Shibboleth Developers
List archive
- From: Franck Borel <>
- To:
- Subject: Re: Still getting Error with SAML 2.0 binding
- Date: Mon, 17 Dec 2007 11:20:22 +0100
- Delivery-date: Mon, 17 Dec 2007 11:20:23 +0100
Hi Chad,
thank you for helping a blind man over the street! Now, it works :-)!
Chad La Joie schrieb:
You don't have SAML 2 listed in the supported protocol enumeration. The URN you want is "urn:oasis:names:tc:SAML:2.0:protocol". Don't forget to add it to your Attribute Authority descriptor as well.
Franck Borel wrote:
Hi all,
I am at my wit's end. What is wrong?
My Service-Provider tell me:
---------------------------
2007-12-17 10:48:27 INFO Shibboleth.Application : building CredentialResolver of type File...
2007-12-17 10:48:27 INFO XMLTooling.StorageService : cleanup thread started...running every 900 seconds
2007-12-17 10:48:27 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2007-12-17 10:48:27 INFO Shibboleth.Listener : listener service starting
2007-12-17 10:49:02 ERROR Shibboleth.SessionInitiator.SAML2 [1]: unable to locate SAML 2.0 identity provider role for provider (https://idp.aar.vascoda.de)
My metadata:
-----------
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor
Name="urn:mace:ub.uni-freiburg.de:aartest"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
validUntil="2010-01-01T00:00:00Z">
<EntityDescriptor entityID="https://idp.aar.vascoda.de">
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFcjCCBFqgAwIBAgIECwSAeDANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMC
REUxHjAcBgNVBAoTFVVuaXZlcnNpdGFldCBGcmVpYnVyZzEWMBQGA1UECxMNUmVj
aGVuemVudHJ1bTEYMBYGA1UEAxMPVW5pLUZSIENBIC0gRzAyMSUwIwYJKoZIhvcN
AQkBFhZwa2lAcnoudW5pLWZyZWlidXJnLmRlMB4XDTA3MDkxMDA4NDAxMFoXDTEy
MDkwODA4NDAxMFowgY8xCzAJBgNVBAYTAkRFMR4wHAYDVQQKExVVbml2ZXJzaXRh
ZXQgRnJlaWJ1cmcxIDAeBgNVBAsTF1VuaXZlcnNpdGFldHNiaWJsaW90aGVrMRcw
FQYDVQQDEw5hYXIudmFzY29kYS5kZTElMCMGCSqGSIb3DQEJARYWZWR2QHViLnVu
aS1mcmVpYnVyZy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM72
dnuf7jbWPdmG5NIMmbeXmY3QCJWZrSJkkTn4Gz98x5I30t3IIx5K+N4BpkIIeU57
PUMuZZX34+aZ+AYzC2okoiMfhWHsRzy4wHMqn4rPLWTSuit0/77s0CcDx+PjINds
TUOIb5md84DUBlDUcLDPO7H/EYGfiM6D0+/4Jw5hRwxkckiOA4vTdg/QSvsuMgrD
ozTuByxm6OTyVzjNNnJQXCnP2pzGKoA2iola1Nogm92NUMmRYp5qgjYRitPKgi+H
zUiV2tYP+JJV0z/aohz8/CalFlLOkVDDma8yrETK6PHgha2iC/ONbyiTe8M2jnC5
WroDGXvu1Y+TS8UG+18CAwEAAaOCAdswggHXMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUd1b3
YadJbYr9uuBSPrOzeILf2YYwHwYDVR0jBBgwFoAUM2ep1vGTVTasoTK9weSWOf9M
cDEwIQYDVR0RBBowGIEWZWR2QHViLnVuaS1mcmVpYnVyZy5kZTCBjwYDVR0fBIGH
MIGEMECgPqA8hjpodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3VuaS1mcmVpYnVyZy1j
YS9wdWIvY3JsL2dfY2FjcmwuY3JsMECgPqA8hjpodHRwOi8vY2RwMi5wY2EuZGZu
LmRlL3VuaS1mcmVpYnVyZy1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIGoBggrBgEF
BQcBAQSBmzCBmDBKBggrBgEFBQcwAoY+aHR0cDovL2NkcDEucGNhLmRmbi5kZS91
bmktZnJlaWJ1cmctY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwSgYIKwYBBQUH
MAKGPmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvdW5pLWZyZWlidXJnLWNhL3B1Yi9j
YWNlcnQvZ19jYWNlcnQuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAqjzTOichvi4Qh
n8f4V4XNLUn4Up5W8JPpynYGc03j2Yl9W29KHed2Oo8X6IJZSQ2FbgOZHv/4rICg
a6u3ZI82I1bIfkAzkNy6aAb/Rc9abYUN3RJls3f53lNn2myd44IT8j1Bd4e/fmD3
0HRHy7voWTzHpFqPOcrczQCUTyTS/JNuB9nfqqLQqkIPcLibvDwuKOjbt8v4/+Zf
BsB/2KVJ0Ts+B515eFaMVdKLiBzt0PCymkbiCVVjR41HahZ3DvDFKnk4WyRXb6oK
bf5VqM25B+KOvHgkH9TFKMoAS0EJ8njaRtxL73LD+aMjVVtVY8XxPWn2pDC42Mik
rqeh/auD
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFcjCCBFqgAwIBAgIECwSAeDANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMC
REUxHjAcBgNVBAoTFVVuaXZlcnNpdGFldCBGcmVpYnVyZzEWMBQGA1UECxMNUmVj
aGVuemVudHJ1bTEYMBYGA1UEAxMPVW5pLUZSIENBIC0gRzAyMSUwIwYJKoZIhvcN
AQkBFhZwa2lAcnoudW5pLWZyZWlidXJnLmRlMB4XDTA3MDkxMDA4NDAxMFoXDTEy
MDkwODA4NDAxMFowgY8xCzAJBgNVBAYTAkRFMR4wHAYDVQQKExVVbml2ZXJzaXRh
ZXQgRnJlaWJ1cmcxIDAeBgNVBAsTF1VuaXZlcnNpdGFldHNiaWJsaW90aGVrMRcw
FQYDVQQDEw5hYXIudmFzY29kYS5kZTElMCMGCSqGSIb3DQEJARYWZWR2QHViLnVu
aS1mcmVpYnVyZy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM72
dnuf7jbWPdmG5NIMmbeXmY3QCJWZrSJkkTn4Gz98x5I30t3IIx5K+N4BpkIIeU57
PUMuZZX34+aZ+AYzC2okoiMfhWHsRzy4wHMqn4rPLWTSuit0/77s0CcDx+PjINds
TUOIb5md84DUBlDUcLDPO7H/EYGfiM6D0+/4Jw5hRwxkckiOA4vTdg/QSvsuMgrD
ozTuByxm6OTyVzjNNnJQXCnP2pzGKoA2iola1Nogm92NUMmRYp5qgjYRitPKgi+H
zUiV2tYP+JJV0z/aohz8/CalFlLOkVDDma8yrETK6PHgha2iC/ONbyiTe8M2jnC5
WroDGXvu1Y+TS8UG+18CAwEAAaOCAdswggHXMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUd1b3
YadJbYr9uuBSPrOzeILf2YYwHwYDVR0jBBgwFoAUM2ep1vGTVTasoTK9weSWOf9M
cDEwIQYDVR0RBBowGIEWZWR2QHViLnVuaS1mcmVpYnVyZy5kZTCBjwYDVR0fBIGH
MIGEMECgPqA8hjpodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3VuaS1mcmVpYnVyZy1j
YS9wdWIvY3JsL2dfY2FjcmwuY3JsMECgPqA8hjpodHRwOi8vY2RwMi5wY2EuZGZu
LmRlL3VuaS1mcmVpYnVyZy1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIGoBggrBgEF
BQcBAQSBmzCBmDBKBggrBgEFBQcwAoY+aHR0cDovL2NkcDEucGNhLmRmbi5kZS91
bmktZnJlaWJ1cmctY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwSgYIKwYBBQUH
MAKGPmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvdW5pLWZyZWlidXJnLWNhL3B1Yi9j
YWNlcnQvZ19jYWNlcnQuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAqjzTOichvi4Qh
n8f4V4XNLUn4Up5W8JPpynYGc03j2Yl9W29KHed2Oo8X6IJZSQ2FbgOZHv/4rICg
a6u3ZI82I1bIfkAzkNy6aAb/Rc9abYUN3RJls3f53lNn2myd44IT8j1Bd4e/fmD3
0HRHy7voWTzHpFqPOcrczQCUTyTS/JNuB9nfqqLQqkIPcLibvDwuKOjbt8v4/+Zf
BsB/2KVJ0Ts+B515eFaMVdKLiBzt0PCymkbiCVVjR41HahZ3DvDFKnk4WyRXb6oK
bf5VqM25B+KOvHgkH9TFKMoAS0EJ8njaRtxL73LD+aMjVVtVY8XxPWn2pDC42Mik
rqeh/auD
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
<ArtifactResolutionService
index="1"
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://132.230.25.131:8443/shibboleth-idp/profile/SAML1/SOAP/ArtifactResolution" />
<!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
<ArtifactResolutionService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://132.230.25.131:8443/shibboleth-idp/profile/SAML2/SOAP/ArtifactResolution" />
<SingleSignOnService
Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://132.230.25.131/shibboleth-idp/profile/Shibboleth/SSO" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://132.230.25.131/shibboleth-idp/profile/SAML2/Redirect/SSO" />
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://132.230.25.131/shibboleth-idp/profile/SAML2/POST/SSO" />
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIFcjCCBFqgAwIBAgIECwSAeDANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMC
REUxHjAcBgNVBAoTFVVuaXZlcnNpdGFldCBGcmVpYnVyZzEWMBQGA1UECxMNUmVj
aGVuemVudHJ1bTEYMBYGA1UEAxMPVW5pLUZSIENBIC0gRzAyMSUwIwYJKoZIhvcN
AQkBFhZwa2lAcnoudW5pLWZyZWlidXJnLmRlMB4XDTA3MDkxMDA4NDAxMFoXDTEy
MDkwODA4NDAxMFowgY8xCzAJBgNVBAYTAkRFMR4wHAYDVQQKExVVbml2ZXJzaXRh
ZXQgRnJlaWJ1cmcxIDAeBgNVBAsTF1VuaXZlcnNpdGFldHNiaWJsaW90aGVrMRcw
FQYDVQQDEw5hYXIudmFzY29kYS5kZTElMCMGCSqGSIb3DQEJARYWZWR2QHViLnVu
aS1mcmVpYnVyZy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM72
dnuf7jbWPdmG5NIMmbeXmY3QCJWZrSJkkTn4Gz98x5I30t3IIx5K+N4BpkIIeU57
PUMuZZX34+aZ+AYzC2okoiMfhWHsRzy4wHMqn4rPLWTSuit0/77s0CcDx+PjINds
TUOIb5md84DUBlDUcLDPO7H/EYGfiM6D0+/4Jw5hRwxkckiOA4vTdg/QSvsuMgrD
ozTuByxm6OTyVzjNNnJQXCnP2pzGKoA2iola1Nogm92NUMmRYp5qgjYRitPKgi+H
zUiV2tYP+JJV0z/aohz8/CalFlLOkVDDma8yrETK6PHgha2iC/ONbyiTe8M2jnC5
WroDGXvu1Y+TS8UG+18CAwEAAaOCAdswggHXMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUd1b3
YadJbYr9uuBSPrOzeILf2YYwHwYDVR0jBBgwFoAUM2ep1vGTVTasoTK9weSWOf9M
cDEwIQYDVR0RBBowGIEWZWR2QHViLnVuaS1mcmVpYnVyZy5kZTCBjwYDVR0fBIGH
MIGEMECgPqA8hjpodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3VuaS1mcmVpYnVyZy1j
YS9wdWIvY3JsL2dfY2FjcmwuY3JsMECgPqA8hjpodHRwOi8vY2RwMi5wY2EuZGZu
LmRlL3VuaS1mcmVpYnVyZy1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIGoBggrBgEF
BQcBAQSBmzCBmDBKBggrBgEFBQcwAoY+aHR0cDovL2NkcDEucGNhLmRmbi5kZS91
bmktZnJlaWJ1cmctY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwSgYIKwYBBQUH
MAKGPmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvdW5pLWZyZWlidXJnLWNhL3B1Yi9j
YWNlcnQvZ19jYWNlcnQuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAqjzTOichvi4Qh
n8f4V4XNLUn4Up5W8JPpynYGc03j2Yl9W29KHed2Oo8X6IJZSQ2FbgOZHv/4rICg
a6u3ZI82I1bIfkAzkNy6aAb/Rc9abYUN3RJls3f53lNn2myd44IT8j1Bd4e/fmD3
0HRHy7voWTzHpFqPOcrczQCUTyTS/JNuB9nfqqLQqkIPcLibvDwuKOjbt8v4/+Zf
BsB/2KVJ0Ts+B515eFaMVdKLiBzt0PCymkbiCVVjR41HahZ3DvDFKnk4WyRXb6oK
bf5VqM25B+KOvHgkH9TFKMoAS0EJ8njaRtxL73LD+aMjVVtVY8XxPWn2pDC42Mik
rqeh/auD
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFcjCCBFqgAwIBAgIECwSAeDANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMC
REUxHjAcBgNVBAoTFVVuaXZlcnNpdGFldCBGcmVpYnVyZzEWMBQGA1UECxMNUmVj
aGVuemVudHJ1bTEYMBYGA1UEAxMPVW5pLUZSIENBIC0gRzAyMSUwIwYJKoZIhvcN
AQkBFhZwa2lAcnoudW5pLWZyZWlidXJnLmRlMB4XDTA3MDkxMDA4NDAxMFoXDTEy
MDkwODA4NDAxMFowgY8xCzAJBgNVBAYTAkRFMR4wHAYDVQQKExVVbml2ZXJzaXRh
ZXQgRnJlaWJ1cmcxIDAeBgNVBAsTF1VuaXZlcnNpdGFldHNiaWJsaW90aGVrMRcw
FQYDVQQDEw5hYXIudmFzY29kYS5kZTElMCMGCSqGSIb3DQEJARYWZWR2QHViLnVu
aS1mcmVpYnVyZy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM72
dnuf7jbWPdmG5NIMmbeXmY3QCJWZrSJkkTn4Gz98x5I30t3IIx5K+N4BpkIIeU57
PUMuZZX34+aZ+AYzC2okoiMfhWHsRzy4wHMqn4rPLWTSuit0/77s0CcDx+PjINds
TUOIb5md84DUBlDUcLDPO7H/EYGfiM6D0+/4Jw5hRwxkckiOA4vTdg/QSvsuMgrD
ozTuByxm6OTyVzjNNnJQXCnP2pzGKoA2iola1Nogm92NUMmRYp5qgjYRitPKgi+H
zUiV2tYP+JJV0z/aohz8/CalFlLOkVDDma8yrETK6PHgha2iC/ONbyiTe8M2jnC5
WroDGXvu1Y+TS8UG+18CAwEAAaOCAdswggHXMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUd1b3
YadJbYr9uuBSPrOzeILf2YYwHwYDVR0jBBgwFoAUM2ep1vGTVTasoTK9weSWOf9M
cDEwIQYDVR0RBBowGIEWZWR2QHViLnVuaS1mcmVpYnVyZy5kZTCBjwYDVR0fBIGH
MIGEMECgPqA8hjpodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3VuaS1mcmVpYnVyZy1j
YS9wdWIvY3JsL2dfY2FjcmwuY3JsMECgPqA8hjpodHRwOi8vY2RwMi5wY2EuZGZu
LmRlL3VuaS1mcmVpYnVyZy1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIGoBggrBgEF
BQcBAQSBmzCBmDBKBggrBgEFBQcwAoY+aHR0cDovL2NkcDEucGNhLmRmbi5kZS91
bmktZnJlaWJ1cmctY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwSgYIKwYBBQUH
MAKGPmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvdW5pLWZyZWlidXJnLWNhL3B1Yi9j
YWNlcnQvZ19jYWNlcnQuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAqjzTOichvi4Qh
n8f4V4XNLUn4Up5W8JPpynYGc03j2Yl9W29KHed2Oo8X6IJZSQ2FbgOZHv/4rICg
a6u3ZI82I1bIfkAzkNy6aAb/Rc9abYUN3RJls3f53lNn2myd44IT8j1Bd4e/fmD3
0HRHy7voWTzHpFqPOcrczQCUTyTS/JNuB9nfqqLQqkIPcLibvDwuKOjbt8v4/+Zf
BsB/2KVJ0Ts+B515eFaMVdKLiBzt0PCymkbiCVVjR41HahZ3DvDFKnk4WyRXb6oK
bf5VqM25B+KOvHgkH9TFKMoAS0EJ8njaRtxL73LD+aMjVVtVY8XxPWn2pDC42Mik
rqeh/auD
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://132.230.25.131:8443/shibboleth-idp/profiles/SAML1/SOAP/AttributeQuery" />
<AttributeService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://132.230.25.131:8443/shibboleth-idp/profiles/SAML2/SOAP/AttributeQuery" />
</AttributeAuthorityDescriptor>
<Organization>
<OrganizationName xml:lang="de">Demo AAR</OrganizationName>
<OrganizationDisplayName xml:lang="de">
Demo AAR
</OrganizationDisplayName>
<OrganizationURL xml:lang="de">
http://aar.vascoda.de/
</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>DEMOaar</GivenName>
<EmailAddress></EmailAddress>
</ContactPerson>
</EntityDescriptor>
<EntityDescriptor entityID="https://sp.aar.vascoda.de">
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFcjCCBFqgAwIBAgIECwSAeDANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMC
REUxHjAcBgNVBAoTFVVuaXZlcnNpdGFldCBGcmVpYnVyZzEWMBQGA1UECxMNUmVj
aGVuemVudHJ1bTEYMBYGA1UEAxMPVW5pLUZSIENBIC0gRzAyMSUwIwYJKoZIhvcN
AQkBFhZwa2lAcnoudW5pLWZyZWlidXJnLmRlMB4XDTA3MDkxMDA4NDAxMFoXDTEy
MDkwODA4NDAxMFowgY8xCzAJBgNVBAYTAkRFMR4wHAYDVQQKExVVbml2ZXJzaXRh
ZXQgRnJlaWJ1cmcxIDAeBgNVBAsTF1VuaXZlcnNpdGFldHNiaWJsaW90aGVrMRcw
FQYDVQQDEw5hYXIudmFzY29kYS5kZTElMCMGCSqGSIb3DQEJARYWZWR2QHViLnVu
aS1mcmVpYnVyZy5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM72
dnuf7jbWPdmG5NIMmbeXmY3QCJWZrSJkkTn4Gz98x5I30t3IIx5K+N4BpkIIeU57
PUMuZZX34+aZ+AYzC2okoiMfhWHsRzy4wHMqn4rPLWTSuit0/77s0CcDx+PjINds
TUOIb5md84DUBlDUcLDPO7H/EYGfiM6D0+/4Jw5hRwxkckiOA4vTdg/QSvsuMgrD
ozTuByxm6OTyVzjNNnJQXCnP2pzGKoA2iola1Nogm92NUMmRYp5qgjYRitPKgi+H
zUiV2tYP+JJV0z/aohz8/CalFlLOkVDDma8yrETK6PHgha2iC/ONbyiTe8M2jnC5
WroDGXvu1Y+TS8UG+18CAwEAAaOCAdswggHXMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUd1b3
YadJbYr9uuBSPrOzeILf2YYwHwYDVR0jBBgwFoAUM2ep1vGTVTasoTK9weSWOf9M
cDEwIQYDVR0RBBowGIEWZWR2QHViLnVuaS1mcmVpYnVyZy5kZTCBjwYDVR0fBIGH
MIGEMECgPqA8hjpodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3VuaS1mcmVpYnVyZy1j
YS9wdWIvY3JsL2dfY2FjcmwuY3JsMECgPqA8hjpodHRwOi8vY2RwMi5wY2EuZGZu
LmRlL3VuaS1mcmVpYnVyZy1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIGoBggrBgEF
BQcBAQSBmzCBmDBKBggrBgEFBQcwAoY+aHR0cDovL2NkcDEucGNhLmRmbi5kZS91
bmktZnJlaWJ1cmctY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwSgYIKwYBBQUH
MAKGPmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvdW5pLWZyZWlidXJnLWNhL3B1Yi9j
YWNlcnQvZ19jYWNlcnQuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAqjzTOichvi4Qh
n8f4V4XNLUn4Up5W8JPpynYGc03j2Yl9W29KHed2Oo8X6IJZSQ2FbgOZHv/4rICg
a6u3ZI82I1bIfkAzkNy6aAb/Rc9abYUN3RJls3f53lNn2myd44IT8j1Bd4e/fmD3
0HRHy7voWTzHpFqPOcrczQCUTyTS/JNuB9nfqqLQqkIPcLibvDwuKOjbt8v4/+Zf
BsB/2KVJ0Ts+B515eFaMVdKLiBzt0PCymkbiCVVjR41HahZ3DvDFKnk4WyRXb6oK
bf5VqM25B+KOvHgkH9TFKMoAS0EJ8njaRtxL73LD+aMjVVtVY8XxPWn2pDC42Mik
rqeh/auD
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<AssertionConsumerService
Location="https://132.230.25.131/Shibboleth.sso/SAML2/POST"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
<AssertionConsumerService
Location="https://132.230.25.131/Shibboleth.sso/SAML/POST"
index="2"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="de">DEMOaar</OrganizationName>
<OrganizationDisplayName xml:lang="de">
DEMOaar
</OrganizationDisplayName>
<OrganizationURL xml:lang="de">
http://aar.vascoda.de
</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<SurName>Support</SurName>
<EmailAddress></EmailAddress>
</ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>
My shibboleth2.xml
---------------
<SPConfig
xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:native:sp:config /usr/share/xml/shibboleth/shibboleth-2.0-native-sp-config.xsd"
logger="/etc/shibboleth/syslog.logger"
clockSkew="180">
<!-- The OutOfProcess section contains properties affecting the shibd daemon. -->
<OutOfProcess logger="/etc/shibboleth/shibd.logger">
<!--
<Extensions>
<Library path="/usr/lib/shibboleth/adfs.so" fatal="true"/>
<Library path="/usr/lib/shibboleth/odbc-store.so" fatal="true"/>
</Extensions>
-->
</OutOfProcess>
<!-- The InProcess section conrains settings affecting web server modules/filters. -->
<InProcess logger="/etc/shibboleth/native.logger">
<!--
<Extensions>
<Library path="/usr/lib/shibboleth/adfs-lite.so" fatal="true"/>
</Extensions>
-->
</InProcess>
<!-- Only one listener can be defined, to connect in process modules to shibd. -->
<UnixListener address="/var/run/shibboleth/shibd.sock" />
<!-- <TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/> -->
<!-- This set of components stores sessions and other persistent data in daemon memory. -->
<StorageService
type="Memory"
id="mem"
cleanupInterval="900" />
<SessionCache
type="StorageService"
StorageService="mem"
cacheTimeout="3600"
inprocTimeout="900"
cleanupInterval="900" />
<ReplayCache StorageService="mem" />
<ArtifactMap artifactTTL="180" />
<!-- This set of components stores sessions and other persistent data in an ODBC database. -->
<!--
<StorageService type="ODBC" id="db" cleanupInterval="900">
<ConnectionString>
DRIVER=drivername;SERVER=dbserver;UID=shibboleth;PWD=password;DATABASE=shibboleth;APP=Shibboleth
</ConnectionString>
</StorageService>
<SessionCache type="StorageService" StorageService="db" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="db"/>
<ArtifactMap StorageService="db" artifactTTL="180"/>
-->
<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<!--
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element
below.
-->
<Host name="132.230.25.131">
<Path
name="secure"
authType="shibboleth"
requireSession="true">
<!-- Example shows the folder "/secure/admin" assigned to a separate <Application> -->
<!--
<Path name="admin" applicationId="foo-admin"/>
-->
</Path>
</Host>
</RequestMap>
</RequestMapper>
<!--
The Applications section is where most of Shibboleth's SAML bits are defined.
Resource requests are mapped in the Local section into an applicationId that
points into to this section.
-->
<Applications
id="default"
policyId="default"
entityID="https://sp.aar.vascoda.de"
homeURL="http://132.230.25.131"
REMOTE_USER="eppn persistent-id targeted-id"
localLogout="/etc/shibboleth/localLogout.html"
globalLogout="/etc/shibboleth/globalLogout.html">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value can be a relative path, a URL with no hostname (https:///path) or a full URL.
The system can compute a relative value based on the virtual host. Using handlerSSL="true"
will force the protocol to be https. You should also add a cookieProps setting of "; path=/; secure"
in that case. Note that while we default checkAddress to "false", this has a negative
impact on the security of the SP. Stealing cookies/sessions is much easier with this disabled.
-->
<Sessions
lifetime="28800"
timeout="3600"
checkAddress="false"
handlerURL="/Shibboleth.sso"
handlerSSL="false"
exportLocation="https://localhost/Shibboleth.sso/GetAssertion"
idpHistory="false"
idpHistoryDays="7">
<!--
SessionInitiators handle session requests and relay them to a Discovery page,
or to an IdP if possible. Automatic session setup will use the default or first
element (or requireSessionWith can specify a specific id to use).
-->
<!-- Default example directs to a specific IdP's SSO service (favoring SAML 2 over Shib 1). -->
<SessionInitiator
type="Chaining"
Location="/Login"
isDefault="true"
id="Intranet"
relayState="cookie"
entityID="https://idp.aar.vascoda.de">
<SessionInitiator
type="SAML2"
defaultACSIndex="1"
template="/etc/shibboleth/bindingTemplate.html" />
<SessionInitiator
type="Shib1"
defaultACSIndex="5" />
</SessionInitiator>
<!-- An example using an old-style WAYF, which means Shib 1 only unless an entityID is provided. -->
<SessionInitiator
type="Chaining"
Location="/WAYF"
id="WAYF"
relayState="cookie">
<SessionInitiator
type="SAML2"
defaultACSIndex="1"
template="/etc/shibboleth/bindingTemplate.html" />
<SessionInitiator
type="Shib1"
defaultACSIndex="5" />
<!-- <SessionInitiator type="ADFS"/> -->
<SessionInitiator
type="WAYF"
defaultACSIndex="5"
URL="https://132.230.25.131/DEMOaar/WAYF" />
</SessionInitiator>
<!-- An example supporting the new-style of discovery service. -->
<SessionInitiator
type="Chaining"
Location="/DS"
id="DS"
relayState="cookie">
<SessionInitiator
type="SAML2"
defaultACSIndex="1"
template="/etc/shibboleth/bindingTemplate.html" />
<SessionInitiator
type="Shib1"
defaultACSIndex="5" />
<!-- <SessionInitiator type="ADFS"/> -->
<SessionInitiator
type="SAMLDS"
URL="https://132.230.25.131/DS" />
</SessionInitiator>
<!--
md:AssertionConsumerService locations handle specific SSO protocol bindings,
such as SAML 2.0 POST or SAML 1.1 Artifact. The isDefault and index attributes
are used when sessions are initiated to determine how to tell the IdP where and
how to return the response.
-->
<md:AssertionConsumerService
Location="/SAML2/POST"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
<md:AssertionConsumerService
Location="/SAML2/POST-SimpleSign"
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" />
<md:AssertionConsumerService
Location="/SAML2/Artifact"
index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" />
<md:AssertionConsumerService
Location="/SAML2/ECP"
index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" />
<md:AssertionConsumerService
Location="/SAML/POST"
index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" />
<md:AssertionConsumerService
Location="/SAML/Artifact"
index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" />
<!--
<md:AssertionConsumerService Location="/ADFS" index="7"
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>
-->
<!-- LogoutInitiators enable SP-initiated local or global/single logout of sessions. -->
<LogoutInitiator
type="Chaining"
Location="/Logout">
<LogoutInitiator
type="SAML2"
template="/etc/shibboleth/bindingTemplate.html" />
<!-- <LogoutInitiator type="ADFS"/> -->
<LogoutInitiator type="Local" />
</LogoutInitiator>
<!-- md:SingleLogoutService locations handle single logout (SLO) protocol messages. -->
<md:SingleLogoutService
Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" />
<md:SingleLogoutService
Location="/SLO/Redirect"
conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" />
<md:SingleLogoutService
Location="/SLO/POST"
conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
<md:SingleLogoutService
Location="/SLO/Artifact"
conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" />
<!-- md:ManageNameIDService locations handle NameID management (NIM) protocol messages. -->
<md:ManageNameIDService
Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" />
<md:ManageNameIDService
Location="/NIM/Redirect"
conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" />
<md:ManageNameIDService
Location="/NIM/POST"
conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
<md:ManageNameIDService
Location="/NIM/Artifact"
conf:template="/etc/shibboleth/bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" />
<!--
md:ArtifactResolutionService locations resolve artifacts issued when using the
SAML 2.0 HTTP-Artifact binding on outgoing messages, generally uses SOAP.
-->
<md:ArtifactResolutionService
Location="/Artifact/SOAP"
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" />
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler
type="MetadataGenerator"
Location="/Metadata"
signing="false" />
<!-- Status reporting service. -->
<Handler
type="Status"
Location="/Status"
acl="127.0.0.1" />
<!-- Session diagnostic service. -->
<Handler
type="Session"
Location="/Session" />
</Sessions>
<!--
You should customize these pages! You can add attributes with values that can be plugged
into your templates. You can remove the access attribute to cause the module to return a
standard 403 Forbidden error code if authorization fails, and then customize that condition
using your web server.
-->
<Errors
session="/etc/shibboleth/sessionError.html"
metadata="/etc/shibboleth/metadataError.html"
access="/etc/shibboleth/accessError.html"
ssl="/etc/shibboleth/sslError.html"
supportContact=""
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css" />
<!-- Configure handling of outgoing messages and SOAP authentication. -->
<DefaultRelyingParty
authType="TLS"
artifactEndpointIndex="1"
signing="false"
encryption="false">
<!-- Uncomment and modify to tweak settings for specific IdPs or groups. -->
<!-- <RelyingParty Name="SpecialFederation" keyName="SpecialKey"/> -->
</DefaultRelyingParty>
<!-- Chains together all your metadata sources. -->
<MetadataProvider type="Chaining">
<!-- Example of remotely supplied batch of signed metadata. -->
<!--
<MetadataProvider type="XML" uri="http://federation.org/federation-metadata.xml"
backingFilePath="/var/run/shibboleth/federation-metadata.xml" reloadInterval="7200">
<SignatureMetadataFilter certificate="/etc/shibboleth/fedsigner.pem"/>
</MetadataProvider>
-->
<!-- Example of locally maintained metadata. -->
<MetadataProvider
type="XML"
file="/data/share/metadata/DEMO2-metadata.xml" />
</MetadataProvider>
<!-- Chain the two built-in trust engines together. -->
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey" />
<TrustEngine type="PKIX" />
</TrustEngine>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor
type="XML"
path="/etc/shibboleth/attribute-map.xml" />
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" />
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter
type="XML"
path="/etc/shibboleth/attribute-policy.xml" />
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File">
<Key>
<Path>/etc/apache2/ssl.key/aar.vascoda.de.key</Path>
</Key>
<Certificate>
<Path>/etc/apache2/ssl.crt/aar.vascoda.de.crt</Path>
</Certificate>
</CredentialResolver>
<!-- Advanced resolver allowing for multiple keypairs. -->
<!--
<CredentialResolver type="Chaining">
<CredentialResolver type="File">
<Key>
<Name>DefaultKey</Name>
<Path>/etc/shibboleth/sp-example.key</Path>
</Key>
<Certificate>
<Path>/etc/shibboleth/sp-example.crt</Path>
</Certificate>
</CredentialResolver>
<CredentialResolver type="File">
<Key>
<Name>SpecialKey</Name>
<Path>/etc/shibboleth/special.key</Path>
</Key>
<Certificate>
<Path>/etc/shibboleth/special.crt</Path>
</Certificate>
</CredentialResolver>
</CredentialResolver>
-->
</Applications>
<!-- Each policy defines a set of rules to use to secure messages. -->
<SecurityPolicies>
<!-- The predefined policy enforces replay/freshness and permits signing and client TLS. -->
<Policy
id="default"
validate="false"
signedAssertions="false"
requireConfidentiality="true"
requireTransportAuth="true"
chunkedEncoding="false"
connectTimeout="15"
timeout="30">
<Rule
type="MessageFlow"
checkReplay="true"
expires="60" />
<Rule
type="ClientCertAuth"
errorFatal="true" />
<Rule
type="XMLSigning"
errorFatal="true" />
<Rule
type="SimpleSigning"
errorFatal="true" />
</Policy>
</SecurityPolicies>
</SPConfig>
Thanks!
-- Franck
--
Beste Grüße
Franck Borel
**************************************************************************
Dipl.-Hyd. Franck Borel Telefon: +49[0]761-203 3908
Universitätsbibliothek Fax : +49[0]761-203 3987
Platz der Universität 2 E-Mail :
WWW : http://www.ub.uni-freiburg.de
D-79098 Freiburg
**************************************************************************
- Still getting Error with SAML 2.0 binding, Franck Borel, 12/17/2007
- Re: Still getting Error with SAML 2.0 binding, Chad La Joie, 12/17/2007
- Re: Still getting Error with SAML 2.0 binding, Franck Borel, 12/17/2007
- Re: Still getting Error with SAML 2.0 binding, Chad La Joie, 12/17/2007
Archive powered by MHonArc 2.6.16.