SAML 2 SSO profile not configured for relying party

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML 2 SSO profile not configured for relying party

Jonathan Gershater
Forgive me for not getting this

from the link "https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider "

The IDP's metadata file  is:   ""backingFile="/tmp/idp-metadata.xml"" which is /opt/shibboleth-idp/conf/idp-metadata.xml - 

The SP's metadata file  is: "metadataFile="/path/to/my/metadata-internal.xml" is what ?????? I don't find any file on the SP server /etc/shibboleth that contains the SP's metadata....


------------------------------------------------------------------------------------------------------------------------

Scott Cantor wrote on 2009-06-18:


I think you're missing the fundamental IdP config instructions for metadata:

https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider

I would simply say that you need to get the metadata about the SP, stick it
in the IdP's metadata folder, and then look at that doc page or the examples
in the relying-party file to see how to load it.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile not configured for relying party

Paul Hethmon
Re: [Shib-Users] SAML 2 SSO profile not configured for relying party On 6/18/09 3:38 PM, "Jonathan Gershater" <jgershater@...> wrote:

The SP's metadata file  is: "metadataFile="/path/to/my/metadata-internal.xml" is what ?????? I don't find any file on the SP server /etc/shibboleth that contains the SP's metadata....

The Shib SP has the ability to create a base metadata file that will usually need some tweaking. Scott is telling you to create that file for your SP in some way, starting with the auto-generated file is a good thing. But you will need to edit that file and then put it in the metadata directory of the IdP. Then in relying-party.xml, you create the metadata reference to it. At that point, your IdP has the info it needs. Here’s a sample of one I put in my IdP’s to allow easy testing by defining SP metadata for a “localhost” SP:

<EntityDescriptor entityID="<a href="http://">http://localhost/shibboleth-sp"
   xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <NameIDFormat>urn:clareity:safemls:nameid-format:loginid</NameIDFormat>
       <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
           Location="<a href="http://">http://localhost/Shibboleth.sso/SAML2/POST"/>
   </SPSSODescriptor>
</EntityDescriptor>

And for the record, I should not be defining the NameIDFormat using “urn” since I haven’t gone through the registration process for that namespace.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

God does not play dice with the universe; He plays an ineffable game of his own devising, which might be compared, from the perspective of any of the other players, to being involved in an obscure and complex version of poker in a pitch dark room, with blank cards, for infinite stakes, with a dealer who won't tell you the rules, and who smiles all the time.

 -- Terry Pratchett, Good Omens

Reply | Threaded
Open this post in threaded view
|

Re: SAML 2 SSO profile not configured for relying party

Jonathan Gershater
In reply to this post by Jonathan Gershater
this is resolved
thanks for your help!

On Thu, Jun 18, 2009 at 12:38 PM, Jonathan Gershater <[hidden email]> wrote:
Forgive me for not getting this

from the link "https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider "

The IDP's metadata file  is:   ""backingFile="/tmp/idp-metadata.xml"" which is /opt/shibboleth-idp/conf/idp-metadata.xml - 

The SP's metadata file  is: "metadataFile="/path/to/my/metadata-internal.xml" is what ?????? I don't find any file on the SP server /etc/shibboleth that contains the SP's metadata....


------------------------------------------------------------------------------------------------------------------------

Scott Cantor wrote on 2009-06-18:


I think you're missing the fundamental IdP config instructions for metadata:

https://spaces.internet2.edu/display/SHIB2/IdPMetadataProvider

I would simply say that you need to get the metadata about the SP, stick it
in the IdP's metadata folder, and then look at that doc page or the examples
in the relying-party file to see how to load it.

-- Scott