shibboleth-dev - Re: [Shib-Dev] Configure relying party for non-browser client
Subject: Shibboleth Developers
List archive
- From: "Joana M. F. Trindade" <>
- To:
- Subject: Re: [Shib-Dev] Configure relying party for non-browser client
- Date: Wed, 11 Jun 2008 09:45:59 -0300
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=ddE8hz3RjePQ0zzJDN6LRlnJr4fOCkTJrP8rND0E7SFvebM73GOJtXUQiyXPPV8ZAL nI7CS7p1vh4Lag6EGGcVMzrAsTStDdSkfg9un0sEIH6yRnlJyu9X3EViHP2h5jnaXv8s 3N/LMVOqrbDIjoFAAm+va0tVDRPpCC2iQx4VY=
Hi Chad,
Yes, thanks Chad. I could not find such tag on the relying-party.xml, however, only found "DefaultRelyingParty" and "AnonymousRelyingParty". I'll give it a try, placing the suggested configuration inside "RelyingPartyGroup".
Thanks,
Joana
On Tue, Jun 10, 2008 at 11:50 PM, Chad La Joie <> wrote:
Hey Joana,
Maybe I'm missing something, but isn't the defualtAuthenticationMethod on the relying party configuration what you want? So you'd do something like this:
<RelyingParty id="urn:example.org:my:spoofed:id"
provider="urn:example.org:my:idp"
defaultAuthenticationMethod="urn:example.org:some:method" >
<!-- Various Profile Configuration -->
</RelyingParty>
In this way, if a request comes in from 'urn:example.org:my:spoofed:id' and it does not require a specific authentication method then the IdP will always use 'urn:example.org:some:method'.
Is that what you were asking for?SWITCH
Joana M. F. Trindade wrote:
Hi,
I have implemented a non-browser client (http user agent), that issues a
samlp:AuthnRequest and sends it over TLS (Base64 encoded) to a Shib IdP. I
intend to implement a Shib profile handler according to the protocol
described in [1] and [2].
Since I have not finished implementing the handler yet, I am testing whether
the samlp:AuthnRequest is "correct" by sending it to the SSO Profile Handler
(/profile/SAML2/POST/SSO). I do this by spoofing the issuer in the
AuthnRequest, setting it to a SP which is already registered with the IdP (
https://sp.testshib.org/shibboleth). This gives me no error nor a Response,
which seems like expected behavior. However, I would like to properly set
the issuer as my non-browser client.
My question is: how do I configure the relying party so that each time the
IdP receives a samlp:AuthnRequest from this non-browser client, it asks for
the client to authenticate with the method I intend it to?
I read the wiki on this subject ([3]), but could not find the referred xml
tags (RelyingParty, defaultAuthenticationMethod) in my IdP's
relyingparty.xml, neither examples of files.
Any pointers or advice will be highly appreaciated.
Cheers,
Joana
[1] -
http://dev.globus.org/wiki/Google_Summer_of_Code_2008_Ideas#SAML_Holder-of-Key_Authentication
[2] -
http://dev.globus.org/wiki/GSoC08/SAML_Holder_of_Key_Authn_for_HTTP_SSO
[3] - https://spaces.internet2.edu/display/SHIB2/IdPUserAuthn
--
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
, http://www.switch.ch
--
Joana M. F. da Trindade
Email:
Personal Homepage: http://www.inf.ufrgs.br/~jmftrindade
LinkedIn: http://www.linkedin.com/in/joanatrindade
- Configure relying party for non-browser client, Joana M. F. Trindade, 06/10/2008
- RE: [Shib-Dev] Configure relying party for non-browser client, Scott Cantor, 06/10/2008
- Re: [Shib-Dev] Configure relying party for non-browser client, Chad La Joie, 06/10/2008
- Re: [Shib-Dev] Configure relying party for non-browser client, Joana M. F. Trindade, 06/11/2008
Archive powered by MHonArc 2.6.16.