shibboleth-dev - Re: [Shib-Dev] idp-initiated SSO
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] idp-initiated SSO
- Date: Tue, 07 Oct 2008 18:30:37 +0200
- Openpgp: id=146B2514
- Organization: SWITCH
That's an interesting question. I don't how you could tell a 3rd-party
initiated request from an SP-initiated one, at the IdP, unless you
required signed requests (which we don't).
I don't like calling them spoof'ed requests just because that will make
some people worry, I'm sure. It's really just a 3rd party, like a
portal, starting the flow.
wrote:
> Nate,
>
>
> This technique works fine Shibboleth to Shibboleth, but in my
> interoperability testing with some commercial products, it is inconsistent
> as to whether it works. The IDP populates the InResponseTo attribute, and
> according to the SAML standards it "MUST NOT contain an InResponseTo" for
> Unsolicited Responses. I know that when I did some testing with CA
> Siteminder, it failed with an error about unrecognized Response ID.
>
>
>
> Is there a way in the spoofing to tell the IDP to leave out that attribute?
>
> From: Nate Klingenstein
> [mailto:]
> Sent: Monday, October 06, 2008 10:46 PM
> To:
>
> Subject: Re: [Shib-Dev] idp-initiated SSO
>
> Yangling,
>
> Thank you for reading this letter,which is from Peking University,China.
>
> It's great to hear from you guys again. Give my best regards to Ms. Chen
> and the rest of the team. :D
>
>
> I have one question here: Have Idp-initiated SSO been implemented in
> Shibboleth 2.0? I apprecite you very much.Thank you.[cid:]
>
> Basically, yes. There is no separate implementation to do this, because
> the functionality can be easily provided just by spoofing an authentication
> request as if the SP had made it. You can place such a spoofed
> authentication request statically on a web page, such as a portal. This
> can be done for SAML 1.1 or SAML 2.0, and it can be done for SAML 2.0 using
> either a Shibboleth 1.3-style authentication request, or a SAML 2.0
> AuthnRequest. You just need to make sure you have the right endpoints
> selected in your spoof.
>
> There is a specification that allows this to be done with trust added, but
> I don't think it's implemented yet, and it's not a requirement for most use
> cases.
>
> http://wiki.oasis-open.org/security/ProtocolExtThirdParty
>
> Take care,
> Nate.
>
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- idp-initiated SSO, yangling_1985, 10/06/2008
- Re: [Shib-Dev] idp-initiated SSO, Chad La Joie, 10/06/2008
- Re: [Shib-Dev] idp-initiated SSO, Nate Klingenstein, 10/06/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
- Re: [Shib-Dev] idp-initiated SSO, Chad La Joie, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- Message not available
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
- Re: [Shib-Dev] idp-initiated SSO, Chad La Joie, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
Archive powered by MHonArc 2.6.16.