shibboleth-dev - Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED]
Subject: Shibboleth Developers
List archive
- From: Brent Putman <>
- To:
- Subject: Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED]
- Date: Mon, 26 Jul 2010 10:36:13 -0700
Sorry for the delay in responding, I'm traveling last week and this week.
On 7/23/10 2:26 AM, Valery Tschopp wrote:
Hi Brent,
Adding the ID-WSF SSOS profile handler in the default relying party solved our problem, but isn't it a bug?
Why should we add this handler to the default relying party, when it is accessed only by the ECP client (https://macvt.switch.ch/shibboleth) and defined in its own relying party?
No, it's not a requirement that you add anything to the DefaultRelyingParty. Adding it there will make things work of course, as you discovered, since that's the default lookup, but particularly for delegation that's probably not a good idea. Note that all of this RelyingParty and ProfileConfiguration lookup stuff is not delgation specific, it's just the standard mechanism that the IdP uses for all profile support.
However, reading your message made me realize that: I think I was giving you slightly incorrect info. The problem is as I originally described, i.e. no security policy was being resolved because there was no effective relying party configuration. However, I think I mislead you on the specifics: the RelyingParty config that's going to determine the security policy that's used in the Liberty profile is actually the one for the SAML requester in the flow (i.e. the WSP), and *not* the SAML presenter (i.e. the portal/ECP). That's because the WSP is the actual relying party, not the portal/ECP. Note you do have to have both SP's configured for the Liberty profile, probably with custom RelyingParty elements, because there are some config settings that appear there that are relevant to both. That's what is mentioned in the INSTALL.txt, section 4e.
If you get a DEBUG log trace for the top-level IdP and OpenSAML packages that I mentioned earlier, it should confirm the above. In specific terms, the WSP you mentioned earlier in the thread was: https://hestia.switch.ch/shibboleth So you should see it trying to resolve the security policy for the entity ID.
Hope that finally resolves things, but let me know if it doesn't.
--Brent
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, (continued)
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Scott Cantor, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/21/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Halm Reusser, 07/23/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Valery Tschopp, 07/23/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Scott Cantor, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Chad La Joie, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Brent Putman, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Brent Putman, 07/26/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation [SOLVED], Halm Reusser, 07/23/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Brent Putman, 07/22/2010
- Re: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Halm Reusser, 07/22/2010
- RE: [Shib-Dev] Debugging shibboleth-idp-ext-delegation, Scott Cantor, 07/21/2010
Archive powered by MHonArc 2.6.16.