redirect.validation for Shibboleth SP

34 views
Skip to first unread message

Victoriano Giralt

unread,
Feb 8, 2012, 4:35:04 PM2/8/12
to simple...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hi all, this might not be the /right/ place, but it might be possible
that someone in this group has encountered this issue.

I have to include a Shibboleth 2.4.3 SP in our Confia federation, that
requires redirect validation (we also require assertion signing and
encryption, but I know how to deal with those).

I know how to do this easily with SimpleSAML but I cannot find how to
do it with the Shibboleth SP.

Ideas? Suggestions? RTFMs?

Thanks.
- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
- -
A: Yes.
> Q: Are you sure ?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email ?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPMuqIV6+mDjj1PTgRAzpTAKCqDW5Tp8WOD5/O6eFscvVYQL1sEwCfUfVW
GOkPSzm4/HmR5rD+0EmpweM=
=FdRR
-----END PGP SIGNATURE-----

Tom Scavo

unread,
Feb 8, 2012, 4:54:25 PM2/8/12
to simple...@googlegroups.com
On Wed, Feb 8, 2012 at 4:35 PM, Victoriano Giralt <victo...@uma.es> wrote:
>
> I have to include a Shibboleth 2.4.3 SP in our Confia federation, that
> requires redirect validation (we also require assertion signing and
> encryption, but I know how to deal with those).
>
> I know how to do this easily with SimpleSAML but I cannot find how to
> do it with the Shibboleth SP.
>
> Ideas? Suggestions? RTFMs?

I don't know what "redirect validation" is but if you have questions
about Shibboleth, you should probably ask them on the Shibboleth users
mailing list.

Tom

Victoriano Giralt

unread,
Feb 8, 2012, 5:26:08 PM2/8/12
to simple...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 8/2/12 22:54, Tom Scavo wrote:
Thanks Tom for such a fast response

> I don't know what "redirect validation" is but if you have
> questions about Shibboleth, you should probably ask them on the
> Shibboleth users mailing list.

Well, the main reason is that I can't seem force myself to subscribe
to yet another list :)

"redirect validation" in SimpleSAML parlance seems to mean that the
RPs should verify the validity/integrity of received messages. From
the docs:

In simplesamlphp-reference-idp-hosted.txt
"""
Signing of logout requests and logout responses can be enabled by
setting the `redirect.sign` option. Validation of received messages
can be enabled by the `redirect.validate` option.

These options set the default for this IdP, but options for each SP
can be set in `saml20-sp-remote`. Note that you need to add a
certificate for each SP to be able to validate signatures on
messages from that SP.

`redirect.validate`
: Whether authentication requests, logout requests and logout
responses received sent from this IdP should be validated.
"""

In simplesamlphp-reference-idp-remote.txt
"""
`redirect.validate`: Whether logout requests and logout responses
received from this IdP should be validated. The default is `FALSE`.
"""

In simplesamlphp-reference-sp-remote.txt
"""
`certificate`
: Name of certificate file for this SP. The certificate is used to
verify the signature of messages received from the SP (if
`redirect.validate`is set to `TRUE`), and to encrypting assertions
(if `assertion.encryption` is set to TRUE and `sharedkey` is
unset.)
"""
"""
redirect.validate`
: Whether authentication requests, logout requests and logout
responses received from this SP should be validated. The default is
`FALSE`
"""

Maybe this can give you clues to send me to the right RTMF.

Again, thanks.

- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
- -
A: Yes.
> Q: Are you sure ?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPMvZ/V6+mDjj1PTgRA95rAKDKC7+qt5Xr8LRfTpHa8AL8XXdjUQCfZAB0
xwO+toRREWDAlLfydxbdBEo=
=B7aE
-----END PGP SIGNATURE-----

Olav Morken

unread,
Feb 9, 2012, 8:16:40 AM2/9/12
to simple...@googlegroups.com
On Wed, Feb 08, 2012 at 23:26:08 +0100, Victoriano Giralt wrote:
> On 8/2/12 22:54, Tom Scavo wrote:
> Thanks Tom for such a fast response
>
> > I don't know what "redirect validation" is but if you have
> > questions about Shibboleth, you should probably ask them on the
> > Shibboleth users mailing list.
> Well, the main reason is that I can't seem force myself to subscribe
> to yet another list :)
>
> "redirect validation" in SimpleSAML parlance seems to mean that the
> RPs should verify the validity/integrity of received messages. From
> the docs:
[...]

The 'redirect.validate' option for SP configuration in simpleSAMLphp
is a bit unfortunate. The standard required LogoutRequest messages
and LogoutResponse messages to be signed, but simpleSAMLphp has never
had that requirement when configuring it.

The result of this is that we have a bit of a backwards-compatibility
problem. We cannot change the default on this option without breaking
backwards-compatibility.

However, I think that the Shibboleth SP valdates these signatures by
default, so I do not think you need to adjust anything. Of course,
you may want do doublecheck this, since I am not very familiar with
Shibboleth.

(For a SP, logout messages are the only messages that are received via
the HTTP-Redirect binding, so any other messages do not matter here in
this context.)

Best regards,
Olav Morken
UNINETT / Feide

Reply all
Reply to author
Forward
0 new messages