Service Provider - IdP Initiated with ExternalApplicationOverrides

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Service Provider - IdP Initiated with ExternalApplicationOverrides

Chris Stefano
Hello,

I've picked up a issue when using the "ExternalApplicationOverrides" method of defining "ApplicationOverride" in separate files.

If the application configuration hasn't yet been loaded and you attempt an IdP initiated authentication it fails with the following message:

> No destination registered for incoming message addressed to (<appid>/SAML2/POST)

For SP initiated authentication the ApplicationOverride loads fine and any subsequent IdP initiated authentication requests work thereafter.

Moving the ApplicationOverride back into the shibboleth2.xml file works so there is nothing wrong with the configuration.

I'm using Apache with mod_shib with latest stable Shibboleth SP version 3.0.4 on an Ubuntu server.

For the time being, I've added a step to my deployment process to make an SP initiated authentication request to get the application configuration loaded, but would prefer not to have this workaround.

Any assistance is appreciated.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Service Provider - IdP Initiated with ExternalApplicationOverrides

Chris Stefano
I was trying out some alternative configurations, reading up on entityIDSelf of the RequestMap (https://wiki.shibboleth.net/confluence/display/SP3/RequestMap) element, when I discovered a note in the wiki page about the applicationId attribute needing to have the value "default".

> A special requirement of this root element (RequestMap) is that it MUST contain an applicationId attribute with a value of "default", which in turn matches the required id attribute of the outer-most <ApplicationDefaults> element in the shibboleth2.xml file.

I updated my configuration and tested and now it works as expected.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]