Shibboleth Developers

[giacomo tenaglia <>]

On Tue, Dec 18, 2007 at 11:17:31AM -0500, Scott Cantor wrote:
> > I'm not getting any error, as I wrote on friday... basically the
> > SessionInitiator is ignored.
> 
> I don't think I can reproduce that. I posted the example of what I used, and
> it did what I expected. I'll tweak the metadata to produce a "correct"
> request to make sure it's still redirecting properly, but there's no reason
> for that to be a problem since it's running the handler just fine.
> 
> Please send me the SessionInitiator element you're using now (either by
> itself or in a chain), and the metadata file you said is working with 1.3.

I'm using this standalone SessionInitiator:

<SessionInitiator type="ADFS" Location="/Login" id="adfs" isDefault="true"
        relayState="cookie" entityID="https://cern.ch/login"/>

Here is the metadata working with 1.3:

-----------------------------------------------------------------------

<EntitiesDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata 
/usr/share/xml/shibboleth/saml-schema-metadata-2.0.xsd 
urn:mace:shibboleth:metadata:1.0 @-PKGXMLDIR-@/shibboleth-metadata-1.0.xsd 
http://www.w3.org/2000/09/xmldsig# @-PKGXMLDIR-@/xmldsig-core-schema.xsd"
    Name="urn:mace:shibboleth:examples"
    validUntil="2010-01-01T00:00:00Z">

<EntityDescriptor entityID="https://cern.ch/login";>
         <IDPSSODescriptor 
protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2003/07/secext";>
<Extensions>
        <shibmd:Scope>cern.ch</shibmd:Scope>
</Extensions>     
                  <KeyDescriptor use="signing">
                                <ds:KeyInfo>
                                         <ds:X509Data>
                                                  <ds:X509Certificate>
[certificate omitted]
</ds:X509Certificate>                                                         
                                             
                                         </ds:X509Data>
                                </ds:KeyInfo>
                  </KeyDescriptor>
                  <SingleSignOnService 
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext";
                                
Location="https://login.cern.ch/adfs/ls/LoginForm.aspx"/>
         </IDPSSODescriptor>

         <SPSSODescriptor 
protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2003/07/secext";>
                  <AssertionConsumerService 
Binding="http://schemas.xmlsoap.org/ws/2003/07/secext";
                                
Location="https://login.cern.ch/adfs/ls/LoginForm.aspx"; index="1" />
         </SPSSODescriptor>

</EntityDescriptor>
</EntitiesDescriptor>

-----------------------------------------------------------------------

With 1.3 I was using this SessionInitiator:

<SessionInitiator isDefault="true" id="Twiki beta" Location="/"
        Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
        wayfURL="https://login.cern.ch/adfs/ls/LoginForm.aspx";
        wayfBinding="http://schemas.xmlsoap.org/ws/2003/07/secext"/>

and everything worked. Yes, I know the Location is "/", but this was the
standard setup given by ADFS administrators (anyway also with
Location="/" 2.0 does not work).

giacomo

-- 
giacomo tenaglia
Technical Student at CERN IT/DES-SIS
CNR Biblioteca d'Area di Bologna - http://biblio.bo.cnr.it
Phone +41 76 5003376 - 
sip: