shibboleth-dev - RE: [Shib-Dev] idp-initiated SSO
Subject: Shibboleth Developers
List archive
- From: <>
- To: <>
- Subject: RE: [Shib-Dev] idp-initiated SSO
- Date: Tue, 7 Oct 2008 12:43:59 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
I didn't consider the failure a bug when I noticed it would not interoperate.
I generally considered the 3rd party initiated SSO to be a hacked solution,
so I did not expect it to consistently work. The third party request profile
looks interesting, and I can see some value in it. Although I think Peter
Williams is correct in that there is a subtle difference in whether it's
truly 3rd party initiated when it is the IDP (perhaps not the software, but
the entity/system) trying to initiate the Unsolicited SSO.
-----Original Message-----
From: Scott Cantor
[mailto:]
Sent: Tuesday, October 07, 2008 12:31 PM
To:
Subject: RE: [Shib-Dev] idp-initiated SSO
> This technique works fine Shibboleth to Shibboleth, but in my
> interoperability testing with some commercial products, it is inconsistent
> as to whether it works. The IDP populates the InResponseTo attribute, and
> according to the SAML standards it "MUST NOT contain an InResponseTo" for
> Unsolicited Responses. I know that when I did some testing with CA
> Siteminder, it failed with an error about unrecognized Response ID.
>
> Is there a way in the spoofing to tell the IDP to leave out that
attribute?
That's what the extension Nate mentioned was for (among other reasons). If
you follow the spec, both the IdP and the CA SP are doing the right thing,
so they're not buggy.
If you wanted basic support for the third party request profile, maybe just
with unsigned requests to solve this basic problem, you could file that in
jira.
-- Scott
- idp-initiated SSO, yangling_1985, 10/06/2008
- Re: [Shib-Dev] idp-initiated SSO, Chad La Joie, 10/06/2008
- Re: [Shib-Dev] idp-initiated SSO, Nate Klingenstein, 10/06/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
- Re: [Shib-Dev] idp-initiated SSO, Chad La Joie, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- Message not available
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Peter Williams, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Scott Cantor, 10/17/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
- Re: [Shib-Dev] idp-initiated SSO, Chad La Joie, 10/07/2008
- RE: [Shib-Dev] idp-initiated SSO, Jeff.Krug, 10/07/2008
Archive powered by MHonArc 2.6.16.