dissociate displayed URL from entityID ?

2 views
Skip to first unread message

Rayene Ben Rayana

unread,
Oct 12, 2011, 9:27:12 AM10/12/11
to us...@shibboleth.net
Dear all,

Is need some way to dissociate the URL displayed in the browser from the entityID ?

I have an url https://something.local with a valid ssl certificate. It points to an authentication portal that allows us to authenticate our visitors before giving them an Internet access. We want to add shibboleth authentication to this portal.
However, we don't want to declare https://something.local as entityID in the community but something like https://mycompany.net/sp-portal.

Is this possible ?

Some extra info :
- Shibboleth 2.3.1 (Debian)
- Apache2

Thanks in advance,

Chad La Joie

unread,
Oct 12, 2011, 9:32:03 AM10/12/11
to Shib Users
The entityID has nothing to do with any of the URLs used by
Shibboleth. Our installers happen to generate an entityID based off
the hostname of the system but there is no requirement that be the
case (it's just easiest for our scripts).

The only requirement is that the entityID be a valid URI. So you can
craft any URL in a domain that you own or any URN using a namespace
stem that you own. Just make sure your configuration and metadata are
correct if you change the entityID.

> --
> To unsubscribe from this list send an email to
> users-un...@shibboleth.net
>

--
Chad La Joie
www.itumi.biz
trusted identities, delivered
--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Rayene Ben Rayana

unread,
Oct 12, 2011, 9:46:38 AM10/12/11
to Shib Users
Thanks for this prompt answer!

I'm a bit confused. There must be something I don't understand.

In the web browser, when I do not use the url declared as entityID, I am able to :
- access the DS page
- select an IdP
- access the IdP page and fill credentials.
But, when I submit, I get the following error :

Error Message: Invalid IdP URL (HTTP 404)

Of course, this does not happen when I use the url configured as entityID.

Misconfiguration ?

Chad La Joie

unread,
Oct 12, 2011, 9:50:11 AM10/12/11
to Shib Users
You'll have to look at your logs. The entityID is never, ever used as
a URL. It's main purpose is as a key by which information is looked
up in metadata. If you're getting redirected to a bad URL then you
probably have a bad URL in your metadata.

On Wed, Oct 12, 2011 at 09:46, Rayene Ben Rayana

Peter Schober

unread,
Oct 12, 2011, 9:53:37 AM10/12/11
to us...@shibboleth.net
* Rayene Ben Rayana <rayene.b...@gmail.com> [2011-10-12 15:47]:

> In the web browser, when I do not use the url declared as entityID

You never "use" an entityID. You set it in the software and
communicate metadata that contains this. It's a name, nothing else.
You can easily seet his when you change your entityID to a URN, since
these do not "resolve" to anything (without special systems).

> I am
> able to :
> - access the DS page
> - select an IdP
> - access the IdP page and fill credentials.
> But, when I submit, I get the following error :
>

> *Error Message: Invalid IdP URL (HTTP 404)*

What does "access the DS page" mean, specifically? You'll need to
access a SAML service provider, which in turn may redirect you to a
DS, which (with SAML2) will redirect you back to the SP, which in turn
will issue a SAML authentication request to the IdP, which then might
ask you to authenticate and will then send you off the SP with a SAML
protocol message.
So without an SP there's no authentication request and there's nothing
for the IdP to do after authentication.

But none of this should have anything to do with the content of the
string of the entityIDs used.
-peter

Rayene Ben Rayana

unread,
Oct 12, 2011, 10:40:23 AM10/12/11
to us...@shibboleth.net
You're right,

I just figured out the problem. I was declaring to the community an absolute AssertionConsumerService location that starts with my entityID's domain name (https://mycompany.net/SAML2/POST).
The community declaration web form does not seem to accept relative urls so I had to change it to https://something.local/SAML2/POST and it seems to work now :)

Thank you very much for your help !

Peter Schober

unread,
Oct 12, 2011, 12:45:34 PM10/12/11
to us...@shibboleth.net
* Rayene Ben Rayana <rayene.b...@gmail.com> [2011-10-12 16:41]:

> The community declaration web form does not seem to accept relative
> urls so I had to change it to https://something.local/SAML2/POST and
> it seems to work now :)

No idea what a "community declaration web form" is but good to hear
you got it to work,

Rayene Ben Rayana

unread,
Oct 12, 2011, 2:58:54 PM10/12/11
to Shib Users
I clarify in case there are more people in the same situation : To declare my SP as part of the RENATER test community (french educational network), I had to fill in their web form.

Among the (metadata) fields to fill in this web form, there's the entityID but also the AssertionConsumerService url. The latter was wrong as I mentioned earlier. Updating it resolved the problem.

Old SP metadata declaration :
AssertionConsumerService url : https://mycompany.net/SAML2/POST

New SP metadata declaration :
AssertionConsumerService url : https://something.local/SAML2/POST

Cheers,
Reply all
Reply to author
Forward
0 new messages