#162 ipsilon-client-install fails to add mellon AssertionConsumerService for PAOS
Closed: Fixed None Opened 4 years ago by jdennis.

mod_auth_mellon will not be able to perform ECP unless a AssertionConsumerService with the PAOS binding is defined for the SP.


Fields changed

owner: => jdennis
status: new => assigned

Define PAOS AssertionConsumerService in ipsilon-client-install

A SAML SP will not be able to perform ECP unless a
AssertionConsumerService for the PAOS binding has been defined in it's
metadata. The PAOS AssertionConsumerService participates in the ECP
protocol exchange, specifically it's where the ECP client sends the
IdP Assertion.

If lasso starts to engage in an ECP transaction by trying to generate a
Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in
the SP metadata it will fail with a unknown provider error.

Note, AssertionConsumerService elements are indexed endpoints, there
may be one per protocol binding. Now that there is more than 1
AssertionConsumerService we set the isDefault flag to True on the
existing post response at index 0. This isn't strictly necessary
because the spec says if the default flag isn't set on any
AssertionConsumerService endpoint then the first one is selected, but
it's good practice anyway.

FWIW, if mod_auth_mellon is not configured with metadata then
mod_auth_mellon will generate it's own metadata which includes the
PAOS AssertionConsumerService. However in ipsilon-client we generate
the SP metadata and were failing to add the PAOS
AssertionConsumerService, something mellon would have done
automatically for us. This is why this bug was only first seen using
ipsilon-client-install.

_comment0: Define PAOS AssertionConsumerService in ipsilon-client-install

A SAML SP will not be able to perform ECP unless a
AssertionConsumerService for the PAOS binding has been defined in it's
metadata. The PAOS AssertionConsumerService participates in the ECP
protocol exchange, specifically it's where the ECP client sends the
IdP Assertion.

If lasso starts to engage in an ECP transaction by trying to generate a
Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in
the SP metadata it will fail with a unknown provider error.

FWIW, if mod_auth_mellon is not configured with metadata then
mod_auth_mellon will generate it's own metadata which includes the
PAOS AssertionConsumerService. However in ipsilon-client we generate
the SP metadata and were failing to add the PAOS
AssertionConsumerService, something mellon would have done
automatically for us. This is why this bug was only first seen using
ipsilon-client-install.
=> 1440710301200274

A patch has been pushed to my fedorapeople ipsilon repo (jdennis@fedorapeople.org:public_git/ipsilon.git) in the client-paos branch

patch_available: 0 => 1

Fields changed

milestone: => 1.1

master: 085d5b1

resolution: => fixed
status: assigned => closed

Metadata Update from @rcritten:
- Issue assigned to jdennis
- Issue set to the milestone: 1.1

3 years ago

Login to comment on this ticket.

Metadata