[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: [Shib-Users] Emulating a Browser/Post in SAML 2 for 3rd party
From:       Chad La Joie <lajoie () itumi ! biz>
Date:       2010-04-22 13:12:40
Message-ID: 4BD04B48.7090405 () itumi ! biz
[Download RAW message or body]

This has been covered numerous times on the list.  It's known as IdP
initiated Single Sign-On.  If the people wrote there own SAML SP there
is probably about a 50/50 chance of whether you can get this to work at
all since the Shib IdP does not currently support the 3rd Party Request
SAML extension.

Basically you need to create a SAML authentication request, send it to
the IdP in some fashion (you can use any binding going in, as long as
the metadata for the SP is correct the IdP will automatically pick the
POST binding for sending the outgoing message).  Note that the URL you
have below is NOT a POST binding which is the endpoint you were trying
to interact with.  What you have there is more like a Redirect binding.

On 4/22/10 9:06 AM, Michael McDermott wrote:
> Hello user group,
> I'm a bit stuck integrating the IdP with a third party SP that has set
> up their own homegrown SAML 2 SP.
> 
> They accept assertions in SAML 2 format, but require a Browser/Post
> Profile type interaction.  More or less the process is
> 
> 1) User logs into campus federation
> 2) Clicks on link that induces an IDP to generate a browser post
> response for the third party's SP. 3) 3rd Party consumer service checks
> the assertions and then forwards to the resource.
> 
> Any tips on how to craft the link or redirect to induce the browser
> post.  I've tried several variations of this (both GET and POST
> equivalent):
> 
> https://sso.cis-qas.brown.edu/idp/profile/SAML2/POST/SSO?SAMLRequest=[3rd party
> consumer service]&RelayState=[3rd party resource]
> 
> I get an error along the lines:
> 
> 19:37:29.058 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:85]
> - shibboleth.HandlerManager: Looking up profile handler f\
> or request path: /SAML2/POST/SSO
> 19:37:29.058 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:93]
> - shibboleth.HandlerManager: Located profile handler of t\
> he following type for the request path:
> edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
> 19:37:29.058 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:142]
> - Incoming request does not contain a login context, proc\
> essing as first leg of request
> 19:37:29.058 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:280]
> - Decoding message with decoder binding 'urn:oasis:names:\
> tc:SAML:2.0:bindings:HTTP-POST'
> 19:37:29.058 - ERROR
> [org.opensaml.saml2.binding.decoding.HTTPPostDecoder:123] - Unable to
> Base64 decode SAML message
> 19:37:29.059 - WARN
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:312]
> - Error decoding authentication request message
> org.opensaml.ws.message.decoder.MessageDecodingException: Unable to
> Base64 decode SAML message
> 
> I suspect I'm crafting the URL wrong but hours on google have not shed
> any light.
> 
> Thanks for any help,
> Mike
> 

-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered
[prev in list] [next in list] [prev in thread] [next in thread]