[Shib-Users] Shibboleth 2 multiple service providers
Eitan Eibschutz
Scott Cantor
trying
> to test single sign on between one SP to the other. I understood that in
> order to do that I need to make the IDP send back a SAML Artifact upon the
> first successful authentication and then pass this artifact to the second
SP
> in order to validate the existing session.
No, that isn't how it works. I would advise you to read the SAML tech
overview.
> 1. Is this the right way to achieve SSO between multiple SP's?
See above. SSO between SPs has nothing to do with SAML, in point of fact.
It's a function of an IdP maintaining state and allowing a user to bypass
authentication. SAML "SSO" is between one IdP and one SP, then you rinse and
repeat.
> 2. I configured my SP metadata to receive the SAML artifact from the IDP
but
> the IDP is still sending back an HTTP-Redirect with the assertion itself.
Is
> there any other configuration that needs to be done?
For starters, reconsider the use of artifacts, which are more complex to use
than POST. Even more so with a non-Shibboleth SP.
Secondly, the IdP isn't sending back a redirect with an assertion, it
wouldn't fit. It's sending back a form to POST.
> Here is the AssertionConsumerService definition from my SP metadata:
The issue is what the SP asked the IdP to do, whether it supplied an
endpoint in the request to use, and a variety of other factors. If the IdP
is responding with the POST binding, then that's what the SP asked for. Just
having metadata for the artifact binding doesn't mean it will be used.
Without seeing the AuthnRequest, I couldn't guess at anything else. The
rules for binding selection are horrendously complex, which is one more
reason for dumping artifacts and just staying with POST.
-- Scott