mod_auth_mellon will not be able to perform ECP unless a AssertionConsumerService with the PAOS binding is defined for the SP.
Fields changed
owner: => jdennis status: new => assigned
Define PAOS AssertionConsumerService in ipsilon-client-install
A SAML SP will not be able to perform ECP unless a AssertionConsumerService for the PAOS binding has been defined in it's metadata. The PAOS AssertionConsumerService participates in the ECP protocol exchange, specifically it's where the ECP client sends the IdP Assertion.
If lasso starts to engage in an ECP transaction by trying to generate a Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in the SP metadata it will fail with a unknown provider error.
Note, AssertionConsumerService elements are indexed endpoints, there may be one per protocol binding. Now that there is more than 1 AssertionConsumerService we set the isDefault flag to True on the existing post response at index 0. This isn't strictly necessary because the spec says if the default flag isn't set on any AssertionConsumerService endpoint then the first one is selected, but it's good practice anyway.
FWIW, if mod_auth_mellon is not configured with metadata then mod_auth_mellon will generate it's own metadata which includes the PAOS AssertionConsumerService. However in ipsilon-client we generate the SP metadata and were failing to add the PAOS AssertionConsumerService, something mellon would have done automatically for us. This is why this bug was only first seen using ipsilon-client-install.
_comment0: Define PAOS AssertionConsumerService in ipsilon-client-install
FWIW, if mod_auth_mellon is not configured with metadata then mod_auth_mellon will generate it's own metadata which includes the PAOS AssertionConsumerService. However in ipsilon-client we generate the SP metadata and were failing to add the PAOS AssertionConsumerService, something mellon would have done automatically for us. This is why this bug was only first seen using ipsilon-client-install. => 1440710301200274
A patch has been pushed to my fedorapeople ipsilon repo (jdennis@fedorapeople.org:public_git/ipsilon.git) in the client-paos branch
patch_available: 0 => 1
milestone: => 1.1
master: 085d5b1
resolution: => fixed status: assigned => closed
Metadata Update from @rcritten: - Issue assigned to jdennis - Issue set to the milestone: 1.1
Login to comment on this ticket.