Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED]

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED]


Chronological Thread 
  • From: Valery Tschopp <>
  • To:
  • Cc: Halm Reusser <>
  • Subject: Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED]
  • Date: Fri, 23 Jul 2010 11:26:25 +0200
  • Organization: SWITCH
Hi Brent,

Adding the ID-WSF SSOS profile handler in the default relying party solved our problem, but isn't it a bug?

Why should we add this handler to the default relying party, when it is accessed only by the ECP client (https://macvt.switch.ch/shibboleth) and defined in its own relying party?

Our relying-party.xml looks like this:
...
<DefaultRelyingParty provider="https://aai-logon.vho-switchaai.ch/idp/shibboleth";
defaultSigningCredentialRef="IdPCredential"
defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">

<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />

<ProfileConfiguration xsi:type="samldel:SAML2SSOProfile"
allowTokenDelegation="false"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="never"
encryptAssertions="conditional"
encryptNameIds="never" />

<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />

<ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
allowTokenDelegation="false"
signAssertions="always"
encryptNameIds="never"

securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy"/>

</DefaultRelyingParty>
...
<!-- Liberty SSOS (ECP Portal) -->
<RelyingParty id="https://macvt.switch.ch/shibboleth";
provider="https://aai-logon.vho-switchaai.ch/idp/shibboleth";
defaultSigningCredentialRef="IdPCredential">

<ProfileConfiguration xsi:type="samldel:SAML2SSOProfile"
allowTokenDelegation="true"
includeAttributeStatement="true"
assertionLifetime="300000"
assertionProxyCount="0"
signResponses="conditional"
signAssertions="always"
encryptAssertions="conditional"
encryptNameIds="never" />

<ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
maximumTokenDelegationChainLength="1"
allowTokenDelegation="true"
signAssertions="always"
encryptNameIds="never"

securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy">


<samldel:DelegationRestriction>https://hestia.switch.ch/shibboleth</samldel:DelegationRestriction>
</ProfileConfiguration>
</RelyingParty>


Cheers,
Valery


On 7/23/10 9:49 AM, Halm Reusser wrote:
Hi Brent,

Brent Putman wrote:

Ok, it's definitely not running the security policy, at least, there's no
log output for the delegation-specific rules for client cert auth and
assertion token validation. So it's almost certainly the case that the
relying-party.xml config is incorrect in some way [...]

You got it. I've verified the relying-party.xml again and indeed in the
following ProfileConfiguration was missing in the DefaultRelyingParty:

<ProfileConfiguration xsi:type="samldel:LibertyIDWSFSSOSProfile"
allowTokenDelegation="false"
signAssertions="always"
encryptNameIds="never"
securityPolicyRef="shibboleth.ext.delegation.LibertySSOSPolicy"/>

Thanks for the hints, have a nice weekend.

-Halm

--
SWITCH
Serving Swiss Universities
--------------------------
Valery Tschopp, Software Engineer, Middleware
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
email:

phone: +41 44 268 1544


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.16.

Top of Page