shibboleth-dev - Re: [Shib-Dev] yet another java SP implementation....
Subject: Shibboleth Developers
List archive
- From: "McDermott, Michael" <>
- To:
- Subject: Re: [Shib-Dev] yet another java SP implementation....
- Date: Mon, 3 Jan 2011 14:14:43 -0500
On Mon, Jan 3, 2011 at 11:59 AM, Chad La Joie
<>
wrote:
>
>
> On 1/3/11 11:47 AM, Steven Carmody wrote:
>>>
>>> 1) Issuer - this must match the value configured in the Workday SSO
>>> setup page
>>> 2) Signature - this must apply to the entire SAML message, some IdP's
>>> allow for signing only the Assertion subelement instead of the entire
>>> response
>>> 3) Subject - this must match an existing Workday Account userID
>>> 4) Conditions/AudienceRestriction - Workday requires a value of
>>> 'http://www.workday.com'
>>> 5) Conditions/NotBefore & NotOnOrAfter attributes - Workday enforces a
>>> max skew of ą 3 minutes
>>
>> Some questions:
>>
>> 1) Would a Shibboleth IDP be able to generate a SAML msg containing a
>> SAML AuthN Assertion that meets those requirements?
>
> Yes.
>
>> 2) Are there additional checks that the project would recommend that
>> they implement ?
>
> All the checks the Shibboleth SP does.
>
>> 3) They currently only implement an IDP-first web browser profile. I
>> expect this will mean that a "typically configured" SHib IDP would not
>> be able to generate a msg meeting the above requirements ?
>
> There is no such thing as a IdP-first web browser profile so no the IdP
> doesn't support it. You'll have create a mock authn request and send it to
> the IdP.
Steve didn't say a SAML IDP-first web browser profile, just IDP-first
web browser profile, as that is how the vendor described it to us and
he disabused them of the notion that this is a standard compliant
profile.
I think the general problem with a jury rigged IdP intiated workflow
with SAML2 is that commercial vendors choke when the InResponseTo
attribute assertion (null) does not match the SP. Yale's work around
describes the problem:
http://isa.its.yale.edu/confluence/display/Shib/Add+IdP+Initiated+Post+SSO+Support+to+Shibboleth
So I'm parsing your response to Steve's third question to be:
Shib will respond to a mocked authn request appropriately, but the
third party SP cannot expect Shib to assert values as if the authn
request came from a standard profile.
>
> --
> Chad La Joie
> http://itumi.biz
> trusted identities, delivered
>
--
Michael J. McDermott
Lead Developer, Identity and Access Management
Brown University
- [Shib-Dev] yet another java SP implementation...., Steven Carmody, 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Chad La Joie, 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., McDermott, Michael, 01/03/2011
- RE: [Shib-Dev] yet another java SP implementation...., Cantor, Scott E., 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Steven Carmody, 01/03/2011
- RE: [Shib-Dev] yet another java SP implementation...., Cantor, Scott E., 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Steven Carmody, 01/03/2011
- RE: [Shib-Dev] yet another java SP implementation...., Cantor, Scott E., 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Christopher Bongaarts, 01/03/2011
- RE: [Shib-Dev] yet another java SP implementation...., Cantor, Scott E., 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Steven Carmody, 01/03/2011
- RE: [Shib-Dev] yet another java SP implementation...., Cantor, Scott E., 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Chad La Joie, 01/03/2011
- RE: [Shib-Dev] yet another java SP implementation...., Cantor, Scott E., 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Chad La Joie, 01/03/2011
- RE: [Shib-Dev] yet another java SP implementation...., Cantor, Scott E., 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Steven Carmody, 01/03/2011
- Re: [Shib-Dev] yet another java SP implementation...., Chad La Joie, 01/03/2011
Archive powered by MHonArc 2.6.16.