[Shib-Users] testing Shibboleth against testshib.org

313 views
Skip to first unread message

Deepesh Shah

unread,
Jul 9, 2009, 4:43:04 AM7/9/09
to shibbole...@internet2.edu, cant...@osu.edu, steve....@ed.ac.uk, chad....@switch.ch, peter....@univie.ac.at
Scott,

as per you suggestions I am trying to add the hostnames in the
configuration file

<InProcess logger="native.logger">
<ISAPI normalizeRequest="true">
<!-- Maps IIS Instance ID values to the host name. -->
<!--<Site id="3" name="ssl.anatomy.tv" />-->
<<Site id="3" name="ssl.anatomy.tv"
scheme="https" sslport="443" host="ssl.anatomy.tv"/>
</ISAPI>
</InProcess>

but as soon as I add the host attribute the Shibd demon stops working
any idea why?

I am pasting the contents of the file for your convenience, any help on
this will be of great help

_________________________________________shibboleth.XML
file_________________________________________

<!--
This is an example shibboleth2.xml generated for you by TestShib Two.
It's reduced and recommented
specifically for testing. You don't need to change anything, but you
may want to explore the file
to learn about how your SP works. Uncomment attributes in your
attribute-map.xml file to test them.

If you want to test advanced functionality, start from the distribution
shibboleth2.xml and add the
MetadataProvider, TestShib credentials, the right entityID, and a
SessionInitiator. More information:

https://spaces.internet2.edu/display/SHIB2/NativeSPConfiguration
-->

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="1800">

<!-- You might want to increase the top-level log sensitivity in
these files. -->
<OutOfProcess logger="shibd.logger" />
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true">
<!-- Maps IIS Instance ID values to the host name. -->
<!--<Site id="3" name="ssl.anatomy.tv" />-->
<Site id="3" name="ssl.anatomy.tv"
scheme="https" sslport="443" host="ssl.anatomy.tv"/>
</ISAPI>
</InProcess>

<!-- Settings for session storage and internal communication. -->
<TCPListener address="127.0.0.1" port="12345" acl="127.0.0.1"/>
<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem"
cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>

<!-- The RequestMap defines portions of the webspace to protect;
https://ssl.anatomy.tv/secure here. -->
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="https://ssl.anatomy.tv">
<Path name="secure" authType="shibboleth"
requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>

<!-- The entityID is the name TestShib made for your SP. -->
<ApplicationDefaults id="default" policyId="default"
REMOTE_USER="eppn"
entityID="https://ssl.anatomy.tv/shibboleth"
homeURL="https://ssl.anatomy.tv/default.aspx">

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false">

<!--
SessionInitiators can request login many different ways.
This example sends users directly to the
TestShib IdP. If you want to use a different IdP that has
joined TestShib, just change this entityID.
-->

<SessionInitiator type="SAML2" Location="/TestShib"
isDefault="true" defaultACSIndex="1" id="TestShib"
entityID="https://idp.testshib.org/idp/shibboleth"
template="bindingTemplate.html" />

<!-- How and where the SP listens. -->
<md:AssertionConsumerService Location="/SAML2/POST"
index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML/POST" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<Handler type="Session" Location="/Session"/>
</Sessions>

<!-- Error pages to display to yourself if something goes
horribly wrong. -->
<Errors session="sessionError.html"
metadata="metadataError.html" access="accessError.html"
ssl="sslError.html"
supportContact="ds...@primalpictures.com"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>

<!-- TestShib Two's metadata lists all members of TestShib so
your SP can talk to them. -->
<MetadataProvider type="XML"
uri="http://www.testshib.org/metadata/testshib-two-metadata.xml"
backingFilePath="testshib-two-metadata.xml"
reloadInterval="180000" />

<!-- Attribute and trust options you shouldn't need to change.
-->
<TrustEngine type="ExplicitKey"/>
<AttributeExtractor type="XML" path="attribute-map.xml"/>
<AttributeResolver type="Query"/>
<AttributeFilter type="XML" path="attribute-policy.xml"/>

<!-- Your SP generated these credentials. They're used to talk
to IdP's. -->
<CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem"/>

</ApplicationDefaults>

<!-- Security policies you shouldn't change unless you know what
you're doing. -->
<SecurityPolicies>
<Policy id="default" validate="false">
<Rule type="MessageFlow" checkReplay="true" expires="60"/>
<Rule type="ClientCertAuth" errorFatal="true"/>
<Rule type="XMLSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>

</SPConfig>


_________________________________________shibboleth.XML
file_________________________________________

Regards,

Deepesh

-----Original Message-----
From: Scott Cantor [mailto:]
Sent: 22 June 2009 15:44
To: shibbole...@internet2.edu
Subject: RE: [Shib-Users] Shibboleth & OpenAthens

Deepesh Shah wrote on 2009-06-22:
> what are the exact steps to provide Shibboleth Authentication i.e. to
> be only service provider.

Initially, you get the software functioning and protecting at least some
kind of sample content so you can see what it does.

After that, there are no "exact" steps. You have to integrate the
software into your application environment on some level.

> and now I am stuck on how to test the installation as per
> http://www.testshib.org/testshib-two/test.jsp#SP as we are getting
> error messages when we go to https://ssl.anatomy.tv/secure or
> https://ssl.anatomy.tv/Shibboleth.sso/status
>
> Shibboleth Error
>
> ISAPI extension can only be invoked to process Shibboleth protocol
> requests.Make sure the mapped file extension doesn't match actual
content.

I think I already told you that the error was caused by incorrect
settings in your configuration. I believe you posted a configuration
that had URLs instead of hostnames in a couple of places.

-- Scott

______________________________________________________________________
This communication is from Primal Pictures Ltd., a company registered in England and Wales with registration No. 02622298 and registered office: 4th Floor, Tennyson House, 159-165 Great Portland Street, London, W1W 5PA, UK. VAT registration No. 648874577.

This e-mail is confidential and may be privileged. It may be read, copied and used only by the intended recipient. If you have received it in error, please contact the sender immediately by return e-mail or by telephoning +44(0)20 7637 1010. Please then delete the e-mail and do not disclose its contents to any person.
This email has been scanned for Primal Pictures by the MessageLabs Email Security System.
______________________________________________________________________

Chad La Joie

unread,
Jul 9, 2009, 4:52:04 AM7/9/09
to shibbole...@internet2.edu
What does the log file say?

Deepesh Shah wrote:
> but as soon as I add the host attribute the Shibd demon stops working
> any idea why?

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

Deepesh Shah

unread,
Jul 9, 2009, 4:57:56 AM7/9/09
to shibbole...@internet2.edu
if I don't have the Host entry, and I access my url (https://ssl.anatomy.tv/shibboleth.sso) it gives us an error -2147467259 (0x80004005) and the log says no host specified in the site element.

however as soon as I add the host entry to the site, and restart the Shibboleth 2.0 Demon Service it does not start the service and there is nothing logged into the C:\opt\shibboleth-sp\var\log\shibboleth\shibd.log file.

and the windows event viewer says

The HTTP Filter DLL C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll failed to load. The data is the error.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

that's it no further information.

is there any other way I can test my SP with some other IDP as our SP information is now added to the official http://metadata.ukfederation.org.uk/ukfederation-metadata.xml metadata

thanks for your prompt reply

Regards,

Deepesh

Chad La Joie

unread,
Jul 9, 2009, 5:01:48 AM7/9/09
to shibbole...@internet2.edu
https://spaces.internet2.edu/display/SHIB2/NativeSPshibd

Deepesh Shah

unread,
Jul 9, 2009, 5:39:57 AM7/9/09
to shibbole...@internet2.edu
even though the host is defined in the file

<InProcess logger="native.logger">
<ISAPI normalizeRequest="true">
<!-- Maps IIS Instance ID values to the host name. -->
<!--<Site id="3" name="ssl.anatomy.tv" />-->
<Site id="3" name="ssl.anatomy.tv" scheme="https" sslport="443" host="ssl.anatomy.tv"/>
</ISAPI>
</InProcess>

when I run shibd.exe -check

I get the message


C:\opt\shibboleth-sp\sbin>shibd.exe -check
2009-07-09 10:30:56 ERROR XMLTooling.ParserPool : error on line 21, column 91, m
essage: Attribute 'host' is not declared for element 'Site'
2009-07-09 10:30:56 ERROR Shibboleth.Config : error while loading configuration
from (C:/opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml): error during XML par
sing: Attribute 'host' is not declared for element 'Site'
2009-07-09 10:30:56 FATAL Shibboleth.Config : caught exception while loading con
figuration: error during XML parsing: Attribute 'host' is not declared for eleme
nt 'Site'
configuration is invalid, check console for specific problems

C:\opt\shibboleth-sp\sbin>

and the ISAPI.DLL in the iis goes red rather beign green.

if I do not have the host file entry in the file it displays the below message

C:\opt\shibboleth-sp\sbin>shibd.exe -check
overall configuration is loadable, check console for non-fatal problems

_______________________________________________________________________________________________________________

below are some lines from the shibd.log file which does not indicate any problems or error messages


2009-07-09 10:19:29 INFO OpenSAML.MetadataProvider.XML : loaded XML resource (http://www.testshib.org/metadata/testshib-two-metadata.xml)
2009-07-09 10:19:33 INFO Shibboleth.Application : building TrustEngine of type ExplicitKey...
2009-07-09 10:19:33 INFO Shibboleth.Application : building AttributeExtractor of type XML...
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : loaded XML resource (C:/opt/shibboleth-sp/etc/shibboleth/attribute-map.xml)
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonPrincipalName
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.6
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonAffiliation
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.1
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonEntitlement
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.7
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:mace:dir:attribute-def:eduPersonTargetedID
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2009-07-09 10:19:33 INFO Shibboleth.AttributeExtractor.XML : creating mapping for Attribute urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
2009-07-09 10:19:33 INFO Shibboleth.Application : building AttributeFilter of type XML...
2009-07-09 10:19:33 INFO Shibboleth.AttributeFilter : loaded XML resource (C:/opt/shibboleth-sp/etc/shibboleth/attribute-policy.xml)
2009-07-09 10:19:33 INFO Shibboleth.Application : building AttributeResolver of type Query...
2009-07-09 10:19:33 INFO Shibboleth.Application : building CredentialResolver of type File...
2009-07-09 10:19:33 INFO XMLTooling.CredentialResolver.File : loading private key from file (C:/opt/shibboleth-sp/etc/shibboleth/sp-key.pem)
2009-07-09 10:19:33 INFO XMLTooling.CredentialResolver.File : loading certificate from file (C:/opt/shibboleth-sp/etc/shibboleth/sp-cert.pem)
2009-07-09 10:19:33 INFO Shibboleth.Listener : registered remoted message endpoint (default::getHeaders::Application)
2009-07-09 10:19:33 INFO Shibboleth.Listener : listener service starting
2009-07-09 10:27:08 INFO Shibboleth.Listener : listener service shutting down
2009-07-09 10:27:08 INFO Shibboleth.Config : shibboleth 2.1 library shutting down
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (default::getHeaders::Application)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (default/TestShib::run::SAML2SI)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (default/SAML2/POST)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (default/SAML/POST)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (default/Metadata)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (default/Status)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (find::StorageService::SessionCache)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (remove::StorageService::SessionCache)
2009-07-09 10:27:08 INFO Shibboleth.Listener : unregistered remoted message endpoint (touch::StorageService::SessionCache)
2009-07-09 10:27:08 INFO XMLTooling.StorageService : cleanup thread finished
2009-07-09 10:27:08 INFO XMLTooling.XMLToolingConfig : xmltooling 1.1 library shutdown complete
2009-07-09 10:27:08 INFO OpenSAML.SAMLConfig : opensaml 2.1 library shutdown complete
2009-07-09 10:27:08 INFO Shibboleth.Config : shibboleth 2.1 library shutdown complete

Regards,

Deepesh

https://spaces.internet2.edu/display/SHIB2/NativeSPshibd

--

Lukas Haemmerle

unread,
Jul 9, 2009, 5:44:26 AM7/9/09
to shibbole...@internet2.edu
Hello Deepesh

> as per you suggestions I am trying to add the hostnames in the
> configuration file
>
> <InProcess logger="native.logger">
> <ISAPI normalizeRequest="true">
> <!-- Maps IIS Instance ID values to the host name. -->
> <!--<Site id="3" name="ssl.anatomy.tv" />-->
> <<Site id="3" name="ssl.anatomy.tv"
> scheme="https" sslport="443" host="ssl.anatomy.tv"/>
> </ISAPI>
> </InProcess>
>
> but as soon as I add the host attribute the Shibd demon stops working
> any idea why?

If you really had the configuration like above, it's no surprise it
didn't work because this is invalid xml (See "<<Site").

After editing the configuration file, first make sure it's still valid.
On Linux you maybe could use a tool like xmlwf (XML well-formed checker)
with "xmlwf /path/to/shibboleth2.xml" to make sure it's still valid XML.
On Windows, you could try to load the shibboleth2.xml in Firefox, which
will tell you if the XML is not well-formed.

Next, you should make sure that the XML is schema valid. For that use
the built-in schema checker by executing "/path/to/shibd -tc
/path/to/shibboleth2.xml". If it tells something like "Overall
configuration is ok", the daemon should be able to load it. Otherwise,
you will be told what is wrong in the file.

Cheers
Lukas

--
SWITCH
Serving Swiss Universities
--------------------------

Lukas Haemmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
lukas.h...@switch.ch, http://www.switch.ch

Deepesh Shah

unread,
Jul 9, 2009, 9:51:39 AM7/9/09
to shibbole...@internet2.edu
Lukas,

not sure how the extra < appeared before the site id attribute but
truest me it is not there in the configuration file.

instead of pasting the file I am attaching the .XML file for your
reference.

please help


Regards,

Deepesh

-----Original Message-----
From: Lukas Haemmerle [mailto:lukas.h...@switch.ch]
Sent: 09 July 2009 10:44
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] testing Shibboleth against testshib.org

Hello Deepesh

Cheers
Lukas

--

______________________________________________________________________

shibboleth2.xml

Scott Cantor

unread,
Jul 9, 2009, 11:01:08 AM7/9/09
to shibbole...@internet2.edu
> when I run shibd.exe -check
>
> I get the message
>
>
> C:\opt\shibboleth-sp\sbin>shibd.exe -check
> 2009-07-09 10:30:56 ERROR XMLTooling.ParserPool : error on line 21, column
> 91, m
> essage: Attribute 'host' is not declared for element 'Site'

Is there something unclear about that, or in the documentation?

https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI

"host" is not a legal attribute in that element, just remove it.

> below are some lines from the shibd.log file which does not indicate any
> problems or error messages

shibd doesn't use ISAPI-specific settings.

-- Scott


Deepesh Shah

unread,
Jul 9, 2009, 12:11:25 PM7/9/09
to shibbole...@internet2.edu
thanks Scott,

after removing the host.

if I try to run the https://ssl.anatomy.tv/shibboleth.sso

I get this


Shibboleth Error
ISAPI extension can only be invoked to process Shibboleth protocol requests.Make sure the mapped file extension doesn't match actual content.

back to where I started originally

and the windows event viewer reports this

Event Type: Error
Event Source: Shibboleth ISAPI Filter
Event Category: None
Event ID: 2100
Date: 09/07/2009
Time: 17:08:58
User: N/A
Computer: PPWEB1
Description:
The description for Event ID ( 2100 ) in Source ( Shibboleth ISAPI Filter ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: ISAPI extension can only be invoked to process Shibboleth protocol requests.Make sure the mapped file extension doesn't match actual content..

I checked the Filter all its dependency is there. does the above error mean that it is not finding the IDP?


below is the registrtaion info at the testidp.org
_______________________________________________________________________________________________


<?xml version="1.0" encoding="UTF-16"?>
<md:EntityDescriptor entityID="https://ssl.anatomy.tv/shibboleth" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIC2TCCAcGgAwIBAgIJAO66nxAkdjOvMA0GCSqGSIb3DQEBBQUAMBExDzANBgNVBAMTBnBwd2Vi
MTAeFw0wOTA2MTcxMDMyMDdaFw0xOTA2MTUxMDMyMDdaMBExDzANBgNVBAMTBnBwd2ViMTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOWyDPFK/6xBlyAo991TFUM0bDGAEmA2l3YijYg0
L8prh+Qz3s4LHo03pkiOLZwTayzaqhbI5d7DuxrlREATFVID4we5ePTz3cF0okHH/uojJToUgVnm
D4qPQRqwEM7x8AKwKDQeCgQCKCeMaoJ7Rq6hoTVSPOI7cAKi9heaaXg9/SEikGu9ifH8DJxdj69m
KULxwFX6w1S7/RrgPjIZ3/jm8e1Gplv9btviiVtLpsekY3QwhK5Ip4uN499nU06pPiC3DpQk4zbd
lzFjNVsCYoWHK23CkAzm1P123f2MWgCNYNGdScnMeUrvGXy2EuLIKv7Tq7Pjk6K3f6YIRtZ0Dc0C
AwEAAaM0MDIwEQYDVR0RBAowCIIGcHB3ZWIxMB0GA1UdDgQWBBQXfxORdEN1lYBYZOlvDBE9lFEh
DTANBgkqhkiG9w0BAQUFAAOCAQEAQU/kQah0mntnAiXpaRzPHFEXOF8GSCWhHUG2jXIGwQQlrC/l
trhsbIWRgxyl4HwA0CFdMV3YoJJbzZwhsxyGpYVuZ3JJ2XEeRPoL5pUgwr7xepE1d+EzctC59uVy
NyymK5SgHa5G9L8WGw5Wn4l0dKNX2RzuvGT4zuBEmngzG7sjra8ReW7RkGhdDZWgQHh7bbdjZ1ff
SI+1TVKtCCCKj+e2FO+YSpUrtNQoyGfN3n1jvYOr2+Z5B4f9xLBmVOUWmrdMzaZL/ihaaqDMb2mk
GjR9Iw+rZm+KSE0CE6zbJrdQzI6u/dRz+yEUja4oAFHZkD0rTqnRIDNks9UUKUsDOQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ssl.anatomy.tv/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ssl.anatomy.tv/Shibboleth.sso/SAML2/POST" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://ssl.anatomy.tv/Shibboleth.sso/SAML2/POST-SimpleSign" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://ssl.anatomy.tv/Shibboleth.sso/SAML2/Artifact" index="4"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://ssl.anatomy.tv/Shibboleth.sso/SAML2/Artifact" index="5"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://ssl.anatomy.tv/Shibboleth.sso/SAML/POST" index="6"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.1:profiles:browser-post" Location="http://ssl.anatomy.tv/Shibboleth.sso/SAML/POST" index="7"/>
</md:SPSSODescriptor>
<md:Organization xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:OrganizationName xml:lang="en">ssl.anatomy.tv</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">TestShib SP</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://ssl.anatomy.tv/</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:GivenName>Deepesh</md:GivenName>
<md:SurName>Shah</md:SurName>
<md:EmailAddress>ds...@openidp.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
____________________________________________________________________________________________

Regards,

Deepesh

https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI

-- Scott

______________________________________________________________________

Peter Schober

unread,
Jul 9, 2009, 12:15:14 PM7/9/09
to shibbole...@internet2.edu
* Deepesh Shah <dee...@primalpictures.com> [2009-07-09 18:12]:

> if I try to run the https://ssl.anatomy.tv/shibboleth.sso
>
> I get this

Where exactly does it say that this should produce anything else?
Try https://ssl.anatomy.tv/Shibboleth.sso/Status or
https://ssl.anatomy.tv/Shibboleth.sso/Session
(The latter probably isn't too interesting until a session exists, the
former only works if the HTTP client's IP is explicitly allowed to
access the status handler).
-peter

Deepesh Shah

unread,
Jul 9, 2009, 12:28:28 PM7/9/09
to shibbole...@internet2.edu
ok, great, it when I access https://ssl.anatomy.tv/Shibboleth.sso/Status
this it asks for a username / password & when I check the
https://ssl.anatomy.tv/Shibboleth.sso/Session it display a valid session
is found.

what are the next step to integrate with a proper IDP?


Regards,

Deepesh

______________________________________________________________________

Scott Cantor

unread,
Jul 9, 2009, 12:35:48 PM7/9/09
to shibbole...@internet2.edu
Deepesh Shah wrote on 2009-07-09:
> what are the next step to integrate with a proper IDP?

- joining a federation (or federations) with the IdPs you care about
- figuring out the attribute requirements for the service
- dealing with the IdP discovery problem in some fashion so that users can
select the IdP they need to use

Those are the big ones.

-- Scott


Reply all
Reply to author
Forward
0 new messages