[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [wsf-dev] Please, help me with the ECP Plugin for Firefox



Lara Cancela <lcancela.itt.android@xxxxxxxxx> said:
> I write you because I've been several days since I wrote trying to run the
> plugin ECP "to" Firefox "with the idp and sp university and I can not do
> what it says file documentation README.pdf, I mean, I'm not able to
> introduce the SP Associations!!!
> 
> At the university have been used for the library IDP "Authentic", not
> "Shibboleth", and the SP with the library ZXID!

As always, specific versions numbers of ECP plugin, IdP, and SP tookit would be helpful.

> I write down here what I'm doing exactly ..
> 
> I add an IdP with de name: "UC3M Prueba" and I introduce the two dates about
> the IdP:
> 
> -Provider ID = https://idp.gast.it.uc3m.es:5443/saml/metadata.xml
> -Authentication URI = https://idp.gast.it.uc3m.es:5443/login
> 
> Then I try to introduce the "Service Provider Associations" but I can't.
> 
> After, I write on my firefox browser the next address:
> https://sp.gast.it.uc3m.es:8443/zxid
> 
> and I get completing the SSO process but the ECP Plugin does nothing!! I
> would like the ECP plugin showed me  "The "SP Associations tab" 

You say "I get completing the SSO". You mean the SSO completed successfully?
Are you saying it was successful, but perhaps with binding different from ECP?
Did you observe any POST binding JavaScript submitted page blink between
the submission of authentication at the IdP and landing on the SP in logged in state?

Generally ECP is triggered by very specific set of HTTP headers. If the headers
are not in place (from ECP plugin side), the SP will default to using one of the
other bindings, most often POST.

Sniff the traffic between browser and SP and IdP.
Look for HTTP header PAOS: urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp
in communications from browser to SP (and IdP).
Then look if the SP sends response with Content-Type: application/vnd.paos+xml

Finally, double check the SP metadata: it should contain line like
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://sp.tas3.pt:8081/zxidhrxmlwsp?o=P"; index="4"/>
to indicate SP's willingness and ability to use ECP. ZXID.org SP has this
turned on by default.

In IdP metadata you should check for something like
<m:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.cellmail.com:443/IDP-F"/>

> I thought it could be because one of these two reasons:
> 
> 1) The University IdP is installed and configured with authentic library (no
> Shibboleth)

ECP is part of SAML2 spec. Using any SAML2 compliant IdP should work. To
understand better what actually happened, I would recommend building
a test setup where both IdP and SP are plain html and then applying
wireshark to sniff the sequence of HTTP requests that happens.

Let us know what you observe.

Cheers,
--Sampo

> 2) The plugin code has some error (I think for that reason because I
> downloaded it on the page "
> http://openliberty.svn.sourceforge.net/viewvc/openliberty/SAMLv2/ECP/FirefoxPlugin/trunk/
> ")
> 
> and only changed the em:id in the "install.rdf" file 
> 
> I hope your answer!!
> 
> Thanks a lot, LARA.
> _______________________________________________
> Wsf-dev mailing list
> Wsf-dev@xxxxxxxxxxxxxxxxxxxxx
> http://lists.openliberty.org/mailman/listinfo/wsf-dev