Skip to Content.
Sympa Menu

shibboleth-dev - RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?

Subject: Shibboleth Developers

List archive

RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?


Chronological Thread 
  • From: Peter Williams <>
  • To: <>
  • Subject: RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?
  • Date: Wed, 16 Apr 2008 11:09:16 -0700

I'll move now to users.
 
The goal of compiling the Shib2.0 src for win32 was to fix the reason why I cannot get the obvious case you describe to work on IIS7 - and which I tried initially with TestShib: have its metadata-making service configure shib on the basis that IIS7 is listening on an address that is a simple domain name to which the internet directly route packets, and Shib intercepts certain URL to apply its session management controls (as a proxy for access controls).
 
When I did that obvious deployment case on first using Testshib, I found that the Shib filter would not invoke websso, letting the user straight into the /secure resources. Ony by trying convoluted configurations could I get websso to even be invoked. Most of those cases tripped over (perfectly reasonable) design assumptions/controls and would not allow completion of end-end working (e.g. POST handler would except, IIS7 would not resolve the final SP redirect, ShibIDP would not accept the entity name in the request)
 
Ill try and do configuration fixing (>50% likelihood) or any bug-fixing for IIS7 filter (<50% likelihood) on the users list, per the admonishment.Hopefully, somone has documented their II7 working example with TestShib SP, and then I can search out someone who has working deployement of the ShibSP's ECP feature set, etc. Right now, the goal is is vonert about 20h iof investement in this stuff to first, simply make *something * work according to simple, traditional, open systems interoperability norms...then second, do some development with the ECP feature set. Perhaps youll accept me back, once I get to two.
 
Like other colleagues in US realty who took a look at Shib project code, it may be a case that I'm attempting to exploit the wrong layer (they took opensaml and very validly put servlet handlers around them, distributing them as a nice & simple "NAR SAML toolkit" that at least one of my spokes is now using, after a week's work starting from ground zero in SAML) . What I may really want is opensaml and the tooling libraries, not the Shib handler/deamon interaction (which obviously comes with a particular set of architectural concepts built into its layering and distribution model.)
 
We will see. I will go read the architectural docs in the wiki.


From: Scott Cantor
Sent: Wed 4/16/2008 7:46 AM
To:
Subject: RE: OpenID2 to SAML2 to SAML1.1 ... to Shib, anyone?

> Using the ISAPI filter in IIS7, I've made some progress with Shib2. The
> general scenario described below is merely attempting to do merely what I
do
> regularly with our own (non-Shib) SAML2 server install.

If you're just trying to use Shibboleth, I'd suggest using the
shibboleth-users list for questions, not the -dev list.

> Using trial and error (and error and error) and trying all sorts of
variants
> of settings, I settled on the following configuration. However, accessing
> /secure2 causes a flow loop.

Loops are almost always cookie problems, probably https/http mismatches or
possibly hostname mismatches. You need to follow the redirects and make sure
it's using a consistent hostname and port.

If you have a "real" hostname, you should not use sp.example.org. Even if
it's just a fake name you setup locally, you're just confusing yourself and
the software trying to play these games.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page