Quantcast

The DSP identifier you specified is invalid

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

The DSP identifier you specified is invalid

hanaa
Hi,

I am running Shibb SP 2.0 to authenticate athens users in OpenAthens Federation metadata.

the authentication process was running just fine, but recently am getting the error below at the Identity Provider (Idp). checking shibd.log file found as below. am wondering if i should specify  the "AssertionconsumerserviceURL" in the SAML request? if so how to do so?

" The DSP identifier you specified is invalid"


2013-05-31 23:57:52 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]: marshalled message:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceIndex="1" Destination="https://auth.athensams.net/oahf/67239361" ID="_f09211a4dce6f52c698598d9f66051d4" IssueInstant="2013-06-01T03:57:52Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://server-name/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/></samlp:AuthnRequest>
2013-05-31 23:57:52 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]: message encoded, sending redirect to client.

Thanks,
Hanaa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The DSP identifier you specified is invalid

Nate Klingenstein
Hanaa,

> the authentication process was running just fine, but recently am getting
> the error below at the Identity Provider (Idp). checking shibd.log file
> found as below. am wondering if i should specify  the
> "AssertionconsumerserviceURL" in the SAML request? if so how to do so?

Either an AssertionConsumerServiceIndex or an AssertionConsumerServiceURL is fine as far as Shibboleth and the specification go.  OpenAthens may have its own requirements.  Your problem description would indicate that they changed something.

> " The DSP identifier you specified is invalid"

This appears to be an OpenAthens error message, not a Shibboleth error message, and I'm not sure what a DSP is.  I'd ask them.

Thanks,
Nate.
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The DSP identifier you specified is invalid

Cantor, Scott E.
In reply to this post by hanaa
On 6/10/13 4:51 PM, "hanaa" <[hidden email]> wrote:
>
>the authentication process was running just fine, but recently am getting
>the error below at the Identity Provider (Idp). checking shibd.log file
>found as below. am wondering if i should specify  the
>"AssertionconsumerserviceURL" in the SAML request? if so how to do so?

You shouldn't have to do anything unless you're running something so out
of date that your system is open to a bunch of serious security attacks,
that's why I'm asking. The default is to send the URL by value, not by
index.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The DSP identifier you specified is invalid

hanaa
In reply to this post by Nate Klingenstein
yes, i have been contact with OpenAthens IDP operator, what i learned idp requires "AssertionConsumerServiceURL" not "AssertionConsumerServiceIndex".

I am not sure how can i send the "AssertionConsumerServiceURL" in the SAML request instead. I am running SHibboleth SP 2.0. is there any way i can do this, i would really appreciate your help.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The DSP identifier you specified is invalid

hanaa
In reply to this post by Cantor, Scott E.
Scott - yes shibboleth SP (2.0) we running is out of date. we may have upgrade later, but for this problem how can i send "AssertionconsumerserviceURL" instead of index?

Thank you very much in advance.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The DSP identifier you specified is invalid

Cantor, Scott E.
On 6/11/13 9:58 AM, "hanaa" <[hidden email]> wrote:

>Scott - yes shibboleth SP (2.0) we running is out of date.

You have the gift of understatement.

> we may have
>upgrade later, but for this problem how can i send
>"AssertionconsumerserviceURL" instead of index?

Add acsByIndex="false" to the SessionInitiator element(s).

-- Scott


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The DSP identifier you specified is invalid

hanaa
Thank you very much, Scott!

yes, now i am able to see AssertionconsumerserviceURL in SAML request.

Loading...