shibboleth-dev - Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation
Subject: Shibboleth Developers
List archive
- From: Halm Reusser <>
- To:
- Subject: Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation
- Date: Wed, 21 Jul 2010 17:58:30 +0200
Hi Brent,
thanks for your fast response.
Brent Putman wrote:
Assuming that you've examined the SOAP message from the SP (ECP) to the IdP over the Liberty profile portion of the flow, and the Assertion token really is there in the SOAP header:
See http://codeviewer.org/view/code:10b6 for the SOAP request. It has no differences, except entityIDs, certs etc. to the working one.
There's a minor bug which apparently never got fixed, which is that the error message about the missing token might be wrong and misleading. Here's a snippet from a thread on the delegation/uPortal list from that. You need to make sure that the IdP has the proper Liberty profile config for the SP (ECP) in question.
This particular error is happening because of a misconfiguration in your relying-party.xml. The portal (ECP) is identifying itself as https://cmoredev.uchicago.edu/portal, but in the relying-party.xml you do not have a entry for that. You need a RelyingParty config for that, containing at a minimum ProfileConfigurations for the 2 delegation related profiles (SSO and Liberty).
The relying party configuration:
<!-- Liberty SSOS (ECP Portal) -->
<RelyingParty id="https://macvt.switch.ch/shibboleth"
provider="https://aai-logon.vho-switchaai.ch/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="samldel:SAML2SSOProfile"
allowTokenDelegation="true"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="always"
encryptAssertions="conditional"
encryptNameIds="never" />
<ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
maximumTokenDelegationChainLength="1"
allowTokenDelegation="true"
signAssertions="always"
encryptNameIds="never"
securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy">
<samldel:DelegationRestriction>https://hestia.switch.ch/shibboleth</samldel:DelegationRestriction>
</ProfileConfiguration>
</RelyingParty>
... where
https://aai-logon.vho-switchaai.ch/idp/shibboleth, the IdP
https://macvt.switch.ch/shibboleth, the ECP portal
https://hestia.switch.ch/shibboleth, the delegation client.
It looks exact like on the working configuration. Do you have any hints how to
debug the relying party stuff, to figure out, why no effective security policy
is running?
Many thanks!
-Halm
- [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Scott Cantor, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Halm Reusser, 07/23/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Valery Tschopp, 07/23/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Scott Cantor, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Chad La Joie, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Brent Putman, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Halm Reusser, 07/23/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/22/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Scott Cantor, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/21/2010
Archive powered by MHonArc 2.6.16.