shibboleth-dev - Re: [Shib-Dev] Configure relying party for non-browser client
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] Configure relying party for non-browser client
- Date: Wed, 11 Jun 2008 04:50:42 +0200
- Openpgp: id=146B2514
- Organization: SWITCH
Hey Joana,
Maybe I'm missing something, but isn't the defualtAuthenticationMethod on the relying party configuration what you want? So you'd do something like this:
<RelyingParty id="urn:example.org:my:spoofed:id"
provider="urn:example.org:my:idp"
defaultAuthenticationMethod="urn:example.org:some:method" >
<!-- Various Profile Configuration -->
</RelyingParty>
In this way, if a request comes in from 'urn:example.org:my:spoofed:id' and it does not require a specific authentication method then the IdP will always use 'urn:example.org:some:method'.
Is that what you were asking for?
Joana M. F. Trindade wrote:
Hi,
I have implemented a non-browser client (http user agent), that issues a
samlp:AuthnRequest and sends it over TLS (Base64 encoded) to a Shib IdP. I
intend to implement a Shib profile handler according to the protocol
described in [1] and [2].
Since I have not finished implementing the handler yet, I am testing whether
the samlp:AuthnRequest is "correct" by sending it to the SSO Profile Handler
(/profile/SAML2/POST/SSO). I do this by spoofing the issuer in the
AuthnRequest, setting it to a SP which is already registered with the IdP (
https://sp.testshib.org/shibboleth). This gives me no error nor a Response,
which seems like expected behavior. However, I would like to properly set
the issuer as my non-browser client.
My question is: how do I configure the relying party so that each time the
IdP receives a samlp:AuthnRequest from this non-browser client, it asks for
the client to authenticate with the method I intend it to?
I read the wiki on this subject ([3]), but could not find the referred xml
tags (RelyingParty, defaultAuthenticationMethod) in my IdP's
relyingparty.xml, neither examples of files.
Any pointers or advice will be highly appreaciated.
Cheers,
Joana
[1] -
http://dev.globus.org/wiki/Google_Summer_of_Code_2008_Ideas#SAML_Holder-of-Key_Authentication
[2] -
http://dev.globus.org/wiki/GSoC08/SAML_Holder_of_Key_Authn_for_HTTP_SSO
[3] - https://spaces.internet2.edu/display/SHIB2/IdPUserAuthn
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Configure relying party for non-browser client, Joana M. F. Trindade, 06/10/2008
- RE: [Shib-Dev] Configure relying party for non-browser client, Scott Cantor, 06/10/2008
- Re: [Shib-Dev] Configure relying party for non-browser client, Chad La Joie, 06/10/2008
- Re: [Shib-Dev] Configure relying party for non-browser client, Joana M. F. Trindade, 06/11/2008
Archive powered by MHonArc 2.6.16.