[Shib-Users] What's new in Shibboleth 2 for SP?

[Winson Quock]

Hi,

I have my own SP implementation based on shibboleth 1.3 and it is time to upgrade to 2.0.

However as I scope around in internet2.edu, especially https://spaces.internet2.edu/display/SHIB2/TechnicalSpecs, I couldn't find anything I need to do specially to support 2.0. for examples, the protocol spec and the conformance spec

 http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-protocols-200509.pdf
 http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-conformance-200509.pdf

are identical links as those found in https://spaces.internet2.edu/display/SHIB/TechnicalSpecs for 1.3.

The only difference I notice is for the IdP Discovery. Is that the only addition I need to support as a conforming 2.0 SP? Is it optional as the shibboleth conforming spec is still the old one without mentioning this.

Thanks a lot!

[Scott Cantor]

Winson Quock wrote on 2009-02-24:
> are identical links as those found in
> https://spaces.internet2.edu/display/SHIB/TechnicalSpecs for 1.3.

Well, yes, if you ignore SAML 2.0. Shibboleth 2 is a SAML 2 implementation
that happens to support older, legacy behavior on top of SAML 1.1.

> The only difference I notice is for the IdP Discovery. Is that the only
> addition I need to support as a conforming 2.0 SP? Is it optional as the
> shibboleth conforming spec is still the old one without mentioning this.

That conformance note is for the legacy extensions and profiles to SAML 1.1,
which are historical. The full set of behaviors that the software follows
are spread across all the specifications listed, assuming it's up to date.

What you support of SAML 2 probably depends on the options you feel are
needed in the context in which you're writing your own SP for some reason.

-- Scott

[RL 'Bob' Morgan]

> I have my own SP implementation based on shibboleth 1.3 and it is time
> to upgrade to 2.0.

If your interest is in interoperating with IdPs in the InCommon
Federation, note that InCommon does not yet have a profile for SAML 2.
We'll have to do one, I suppose, as part of adding support for SAML 2 to
the federation, but it isn't there yet. It is my impression that most of
the other national higher ed federations are in more or less the same
situation.

As Scott implied, to interop with Shib 1.3 IdPs you continue to follow
those SAML 1.1 profiles regardless of whether you're using Shib 1.3 or
Shib 2.x.

- RL "Bob"

[Winson Quock]

SAML 2 support is a myth to me. It seems that SAML 2 is already optional in 1.3. Our SP implementation had it done anyway. I thought that it would become required in Shibboleth 2.

But as I'm testing with testshibb now, if I remove my SAML1.1 profiles, testshibb-two cannot proceed and reports error (see statck trace below:) So that implies one does not have to support SAML 2 to be shibb 2.0 conformant at all.

Also from your reply, I take that IdP Discovery is optional as well (besides it does not apply to our SP which already includes the WAYF page and need no discoery service.)

Thanks


20:35:04.807 DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:126] - Looking up relying party configuration for https://ithaki/shibboleth
20:35:04.808 DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:132] - No custom relying party configuration found for https://ithaki/shibboleth, looking up configuration based on metadata groups.
20:35:04.808 DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:155] - No custom or group-based relying party configuration found for https://ithaki/shibboleth. Using default relying party configuration.
20:35:04.809 DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:78] - Selecting endpoint from metadata corresponding to provided ACS URL: https://ithaki/action/samlACS
20:35:04.810 DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:82] - Relying party role contains 1 endpoints
20:35:04.810 DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOEndpointSelector:101] - No endpoint meets selection criteria for SAML entity https://ithaki/shibboleth
20:35:04.811 ERROR [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:396] - No return endpoint available for relying party https://ithaki/shibboleth
20:35:04.812 ERROR [edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet:85] - Error processing profile request
edu.internet2.middleware.shibboleth.common.profile.ProfileException: No peer endpoint available to which to send SAML response
    at edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler.populateProfileInformation(AbstractSAMLProfileHandler.java:397) [shibboleth-identityprovider-2.1.2.jar:na]
    at edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler.populateRequestContext(AbstractSAMLProfileHandler.java:283) [shibboleth-identityprovider-2.1.2.jar:na]
    at edu.internet2.middleware.shibboleth.idp.profile.saml1.AbstractSAML1ProfileHandler.populateRequestContext(AbstractSAML1ProfileHandler.java:155) [shibboleth-identityprovider-2.1.2.jar:na]
    at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler.buildRequestContext(ShibbolethSSOProfileHandler.java:305) [shibboleth-identityprovider-2.1.2.jar:na]
    at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler.completeAuthenticationRequest(ShibbolethSSOProfileHandler.java:238) [shibboleth-identityprovider-2.1.2.jar:na]
    at edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler.processRequest(ShibbolethSSOProfileHandler.java:123) [shibboleth-identityprovider-2.1.2.jar:na]

   

On Tue, Feb 24, 2009 at 5:17 PM, Scott Cantor <cant...@osu.edu> wrote:

Winson Quock wrote on 2009-02-24:

> are identical links as those found in
> https://spaces.internet2.edu/display/SHIB/TechnicalSpecs for 1.3.

Well, yes, if you ignore SAML 2.0. Shibboleth 2 is a SAML 2 implementation
that happens to support older, legacy behavior on top of SAML 1.1.

> The only difference I notice is for the IdP Discovery. Is that the only
> addition I need to support as a conforming 2.0 SP? Is it optional as the
> shibboleth conforming spec is still the old one without mentioning this.

[Scott Cantor]

> SAML 2 support is a myth to me.

Migrating deployments takes time.

> It seems that SAML 2 is already optional in
> 1.3. Our SP implementation had it done anyway. I thought that it would
> become required in Shibboleth 2.

There's nothing to "require". Shibboleth 2 supports the final standard,
which people should use where possible, and supports backward compatibility
to help them get there.

1.3 never had any semblance of SAML 2 support. If you already supported it
in your original implementation, then I imagine you're done.

> But as I'm testing with testshibb now, if I remove my SAML1.1 profiles,
> testshibb-two cannot proceed and reports error (see statck trace below:)
So
> that implies one does not have to support SAML 2 to be shibb 2.0
conformant
> at all.

There is no such thing as "Shib conformant" anymore, and the behavior you're
talking about is because you're invoking the IdP with a legacy Shibboleth
request. Of course it's looking for SAML 1.1 support. If you send it a SAML
2 request, it will look for SAML support, obviously.

> Also from your reply, I take that IdP Discovery is optional as well
(besides
> it does not apply to our SP which already includes the WAYF page and need
no
> discoery service.)

It's optional, and like much of the specs, supporting it depends on what you
want to accomplish. My SP includes discovery as well, but not everybody
wants to do discovery the same way.

-- Scott