Shibboleth Developers

[Halm Reusser <>]

Hi Brent,

thanks for your fast response.

Brent Putman wrote:

> Assuming that you've examined the SOAP message from the SP (ECP) to the 
> IdP over the Liberty profile portion of the flow, and the Assertion 
> token really is there in the SOAP header:

See http://codeviewer.org/view/code:10b6 for the SOAP request. It has no 
differences, except entityIDs, certs etc. to the working one.

> There's a minor bug which apparently never got fixed, which is that the 
> error message about the missing token might be wrong and misleading.  
> Here's a snippet from a thread on the delegation/uPortal list from 
> that.  You need to make sure that the IdP has the proper Liberty profile 
> config for the SP (ECP) in question.
>
> > This particular error is happening because of a misconfiguration in 
> > your relying-party.xml.  The portal (ECP) is identifying itself as 
> > https://cmoredev.uchicago.edu/portal, but in the relying-party.xml  
> > you do not have a entry for that.  You need a RelyingParty config for 
> > that, containing at a minimum ProfileConfigurations for the 2 
> > delegation related profiles (SSO and Liberty).

The relying party configuration:

<!-- Liberty SSOS (ECP Portal) -->
<RelyingParty id="https://macvt.switch.ch/shibboleth";
               provider="https://aai-logon.vho-switchaai.ch/idp/shibboleth";
               defaultSigningCredentialRef="IdPCredential">

         <ProfileConfiguration xsi:type="samldel:SAML2SSOProfile"
                               allowTokenDelegation="true"
                               includeAttributeStatement="true"
                               assertionLifetime="300000"
                               assertionProxyCount="0"
                               signResponses="conditional"
                               signAssertions="always"
                               encryptAssertions="conditional"
                               encryptNameIds="never" />

         <ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
                               maximumTokenDelegationChainLength="1"
                               allowTokenDelegation="true"
                               signAssertions="always"
                               encryptNameIds="never"

securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy">


<samldel:DelegationRestriction>https://hestia.switch.ch/shibboleth</samldel:DelegationRestriction>
         </ProfileConfiguration>
</RelyingParty>


... where
https://aai-logon.vho-switchaai.ch/idp/shibboleth, the IdP
https://macvt.switch.ch/shibboleth, the ECP portal
https://hestia.switch.ch/shibboleth, the delegation client.

It looks exact like on the working configuration. Do you have any hints how to
debug the relying party stuff, to figure out, why no effective security policy
is running?

Many thanks!

-Halm