shibboleth-dev - Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED]
Subject: Shibboleth Developers
List archive
- From: Valery Tschopp <>
- To:
- Cc: Halm Reusser <>
- Subject: Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED]
- Date: Fri, 23 Jul 2010 11:26:25 +0200
- Organization: SWITCH
Hi Brent,
Adding the ID-WSF SSOS profile handler in the default relying party solved our problem, but isn't it a bug?
Why should we add this handler to the default relying party, when it is accessed only by the ECP client (https://macvt.switch.ch/shibboleth) and defined in its own relying party?
Our relying-party.xml looks like this:
...
<DefaultRelyingParty provider="https://aai-logon.vho-switchaai.ch/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
<ProfileConfiguration xsi:type="samldel:SAML2SSOProfile"
allowTokenDelegation="false"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="never" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
<ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
allowTokenDelegation="false"
signAssertions="always"
encryptNameIds="never"
securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy"/>
</DefaultRelyingParty>
...
<!-- Liberty SSOS (ECP Portal) -->
<RelyingParty id="https://macvt.switch.ch/shibboleth"
provider="https://aai-logon.vho-switchaai.ch/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="samldel:SAML2SSOProfile"
allowTokenDelegation="true"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="always"
encryptAssertions="conditional"
encryptNameIds="never" />
<ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
maximumTokenDelegationChainLength="1"
allowTokenDelegation="true"
signAssertions="always"
encryptNameIds="never"
securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy">
<samldel:DelegationRestriction>https://hestia.switch.ch/shibboleth</samldel:DelegationRestriction>
</ProfileConfiguration>
</RelyingParty>
Cheers,
Valery
On 7/23/10 9:49 AM, Halm Reusser wrote:
Hi Brent,
Brent Putman wrote:
Ok, it's definitely not running the security policy, at least, there's no
log output for the delegation-specific rules for client cert auth and
assertion token validation. So it's almost certainly the case that the
relying-party.xml config is incorrect in some way [...]
You got it. I've verified the relying-party.xml again and indeed in the
following ProfileConfiguration was missing in the DefaultRelyingParty:
<ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
allowTokenDelegation="false"
signAssertions="always"
encryptNameIds="never"
securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy"/>
Thanks for the hints, have a nice weekend.
-Halm
--
SWITCH
Serving Swiss Universities
--------------------------
Valery Tschopp, Software Engineer, Middleware
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
email:
phone: +41 44 268 1544
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Scott Cantor, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Halm Reusser, 07/23/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Valery Tschopp, 07/23/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Scott Cantor, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Chad La Joie, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Brent Putman, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Brent Putman, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Halm Reusser, 07/23/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/22/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Scott Cantor, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/21/2010
Archive powered by MHonArc 2.6.16.