Shibboleth Developers

[<>]

Nate,

 

This technique works fine Shibboleth to Shibboleth, but in my interoperability testing with some commercial products, it is inconsistent as to whether it works.  The IDP populates the InResponseTo attribute, and according to the SAML standards it “MUST NOT contain an InResponseTo” for Unsolicited Responses.  I know that when I did some testing with CA Siteminder, it failed with an error about unrecognized Response ID.

Is there a way in the spoofing to tell the IDP to leave out that attribute? 

 

From: Nate Klingenstein [mailto:]
Sent: Monday, October 06, 2008 10:46 PM
To:
Subject: Re: [Shib-Dev] idp-initiated SSO

 

Yangling,

 

Thank you for reading this letter,which is from Peking University,China.

 

It's great to hear from you guys again.  Give my best regards to Ms. Chen and the rest of the team. :D

I have one question here: Have Idp-initiated SSO been implemented in Shibboleth 2.0? I apprecite you very much.Thank you. 

 

Basically, yes.  There is no separate implementation to do this, because the functionality can be easily provided just by spoofing an authentication request as if the SP had made it.  You can place such a spoofed authentication request statically on a web page, such as a portal.  This can be done for SAML 1.1 or SAML 2.0, and it can be done for SAML 2.0 using either a Shibboleth 1.3-style authentication request, or a SAML 2.0 AuthnRequest.  You just need to make sure you have the right endpoints selected in your spoof.

 

There is a specification that allows this to be done with trust added, but I don't think it's implemented yet, and it's not a requirement for most use cases.

 

http://wiki.oasis-open.org/security/ProtocolExtThirdParty

 

Take care,

Nate.