shibboleth-dev - RE: [Shib-Dev] SimpleSAMLPHP 1.6.0 and Shibboleth SAML 1.1 interoperability
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] SimpleSAMLPHP 1.6.0 and Shibboleth SAML 1.1 interoperability
- Date: Tue, 15 Jun 2010 11:32:04 -0400
- Organization: The Ohio State University
> > I have trouble to interoperate simplesamlphp-1.6.0 IdP with a Shibboleth
> > 2.3 SP.
> >
> > Using saml2, it works fine
> > Using shib13 it fails with
> > > opensaml::SecurityPolicyException
> > > Security of SAML 1.x SSO POST response not established.
> >
> > There is nothing in the logs on theSP, even at debug level. The last
> > message is:
> > > Shibboleth.SSO.SAML1 [45]:
> > > processing message against SAML 1.x SSO profile
This really belongs on the -users list, but to answer the question, most
likely the SAML Response wasn't signed, which is a security problem when
using SAML 1.x. If something *is* accepting this, there's a security bug in
whatever code that is.
> > I had a look at Shibboleth sources, and I suspect it can be something
> > that went wrong with the signature. The assertion contains a signature,
> > though, and it seems Shibboleth has seen it:
The signature has to be at the Response level, because the Recipient
attribute is there, not in the assertion.
-- Scott
- SimpleSAMLPHP 1.6.0 and Shibboleth SAML 1.1 interoperability, Emmanuel Dreyfus, 06/15/2010
- RE: [Shib-Dev] SimpleSAMLPHP 1.6.0 and Shibboleth SAML 1.1 interoperability, Scott Cantor, 06/15/2010
- Re: [Shib-Dev] SimpleSAMLPHP 1.6.0 and Shibboleth SAML 1.1 interoperability, Emmanuel Dreyfus, 06/16/2010
Archive powered by MHonArc 2.6.16.