Adding assertion consumer service

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Adding assertion consumer service

Ben Andries
Hello,

I've been working on setting up a Shibboleth on my SP so that I can protect an IIS site that has Subject Alternative Names.  The site is currently working after I defined a alias under the site id (following this: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPISAPI) and modified the Metadata manually with additional ACS settings for the new hostname.  Here's my question, is there a way to have the metadata generate the additional ACS settings without having to manually modify the metadata file (so that adding an Alias and hostname add the additional ACS entries in the metadata)?  While manually adding the additional ACS settings works for now, I think it would save us a lot of headaches in the future if they were automatically added.

Ben

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adding assertion consumer service

Peter Schober
* Ben Andries <[hidden email]> [2018-06-01 14:06]:

> I've been working on setting up a Shibboleth on my SP so that I can protect
> an IIS site that has Subject Alternative Names.  The site is currently
> working after I defined a alias under the site id (following this:
> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPISAPI) and
> modified the Metadata manually with additional ACS settings for the new
> hostname.  Here's my question, is there a way to have the metadata generate
> the additional ACS settings without having to manually modify the metadata
> file (so that adding an Alias and hostname add the additional ACS entries
> in the metadata)?  While manually adding the additional ACS settings works
> for now, I think it would save us a lot of headaches in the future if they
> were automatically added.

I doubt it, as at least on httpd the SP has no idea about what vhosts
may be defined, unless it's being accessed with one Host request
header.

If the MS-IIS version in fact had all the data available I guess it's
concieveable for the SP to generate thothe ACS URL endpoints, too.
You can always file an improvement issue in the issue tracker?

Of course the larger issue is that the system cannot ever produce
metadata about itself automatically that's correct on all
accounts. (Key roll-over being the usual example: The SP may have
keysmaterial defined that should not be published, yet or anymore.)

So when you have to always modify the metadata before giving it to
anyone else anyway you might as well own the process of adding the ACS
URLs you want?

E.g. I wrote a simple Perl script a decade ago that produced SAML
Metadata describing an SP (or a buch of them) from an SQL query of
defined vhosts (yes, the vhosts themselfs where defined in an SQL
table). It's just XML and public keys, after all.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]