[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problem with Step 4 of ECP SAML Profile



Version:1.0 StartHTML:0000000167 EndHTML:0000025834 StartFragment:0000000484
EndFragment:0000025818

Hello,

I write you because I'm implementing an Enhanced Client  (SAML Profile) on
Android platform, I'd like asking a question about the 4 Step (SOAP
Binding).

We've got communicate the Enhanced Client successfully with the IdP and the
SP, modifying the IdP metadata and SP metadata, with support SOAP and PAOS
bindings. We use the opensource libraries ZXID and Authentic (IdM Library).

I mean, we're trying develop exactly the same steps of ECP Profile,
according to  the SAML documents  of 2005 and 2010 (Profiles for the OASIS
Security and Enhanced Client or Proxy Profile), but we've a problem with the
HTTPS Request to the IdP, with SOAP binding.

We've got to execute the steps 1, 2 and 3 successfully, but when we're going
to send the <AuthRequest> message. We build the next request to the IdP:

* STEP 4

POST /saml/singleSignOnSOAP HTTP/1.1

Host: *idp.gast.it.uc3m.es*

Content-Type: application/vnd.soap+xml

Content-Length: 413

<S:Envelope xmlns:S="*http://schemas.xmlsoap.org/soap/envelope/*";>

<S:Header></S:Header>

<S:Body>

<sp:AuthnRequest xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="NbNrpH3io" IssueInstant="2011-04-06T18:21:51Z" ProviderName="ZXID Demo
SP" Version="2.0">

<sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">

*https://sp.gast.it.uc3m.es:8443/cgi-bin/zxid?o=B*

</sa:Issuer>

</sp:AuthnRequest>

</S:Body>

</S:Envelope>

The IdP URL, where it's the SOAP binding and the ECP service (where we send
the SOAP Request), we get parsing the IdP metadata:

<SingleSignOnService

Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"

Location="*https://idp.gast.it.uc3m.es:5443/saml/singleSignOnSOAP*"/>

And the previous request, we built it changing the SP response (from PAOS
binding to SOAP binding and removing the correct headers according to the
standard), which has the following content:

* STEP 2

HTTP/1.1 200 OK

Date: Wed, 06 Apr 2011 18:21:49 GMT

Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch
mod_python  /3.3.1 Python/2.5.2 mod_scgi/1.12 mod_ssl/2.2.9 OpenSSL/0.9.8g
mod_perl/2.0.4 Perl/v5.10.0

Cache-Control: no-cache, no-store, must-revalidate, private

Pragma: no-cache

Content-Length: 1241

Content-Type: application/vnd.paos+xml

<e:Envelope xmlns:e="*http://schemas.xmlsoap.org/soap/envelope/*";>

<e:Header>

<paos:Request

xmlns:paos="urn:liberty:paos:2006-08"

responseConsumerURL="*https://sp.gast.it.uc3m.es:8443/cgi-bin/zxid?o=P*";

service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"

e:actor="*http://schemas.xmlsoap.org/soap/actor/next*";
e:mustUnderstand="1">

</paos:Request>

<ecp:Request

xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"

ProviderName="*https://sp.gast.it.uc3m.es:8443/cgi-bin/zxid?o=B*";

e:actor="*http://schemas.xmlsoap.org/soap/actor/next*"; e:mustUnderstand="1">

<sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">

*https://sp.gast.it.uc3m.es:8443/cgi-bin/zxid?o=B*

</sa:Issuer>

<sp:IDPList

xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol">

<sp:IDPEntry

Loc="*https://idp.gast.it.uc3m.es:5443/saml/singleSignOnSOAP*";

ProviderID="*https://idp.gast.it.uc3m.es:5443/saml/metadata*";>

</sp:IDPEntry>

</sp:IDPList>

</ecp:Request>

</e:Header>

<e:Body>

<sp:AuthnRequest

xmlns:sp="urn:oasis:names:tc:SAML:2.0:protocol" ID="N0BgbJ6s8"

IssueInstant="2011-05-14T09:50:08Z" ProviderName="ZXID Demo SP"
Version="2.0">

<sa:Issuer xmlns:sa="urn:oasis:names:tc:SAML:2.0:assertion">

*https://sp.gast.it.uc3m.es:8443/cgi-bin/zxid?o=B*

</sa:Issuer>

</sp:AuthnRequest>

</e:Body>

</e:Envelope>

But the Authentic IdP, in the 4 Step, returns an error page HTML
(text/html), instead of the a Response SAML message to the IdP. We're trying
solve the script exception of the IdP *(authentic.liberty.root.SOAPError)*,
but maybe, you could help us to know why the IdP doesn't support this SOAP
Request (<AuthRequest> SAML message)!!

Thanks a lot!!

Best Regards,

Lara.