SP support for urn:ietf:params:xml:ns:samlec ACS Binding #25

nawatts · 2016-09-12T18:18:59Z

https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-ec-13 specifies:

If metadata is used, a SASL service's role MUST contain a corresponding whose Location attribute contains the appropriate service name, as described above. The Binding attribute MUST be one of "urn:ietf:params:xml:ns:samlec" (RECOMMENDED) or "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" (for compatibility with older implementations of the ECP profile in existing identity provider software).

It appears that the SP does not support ECP requests using the samlec ACS binding. See shibsp/handler/impl/SAML2SessionInitiator.cpp#L282

ACS = app.getAssertionConsumerServiceByIndex(atoi(prop.second));
if (!ACS)
    request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using acsIndex property");
else if (ECP && !XMLString::equals(ACS->getString("Binding").second, samlconstants::SAML20_BINDING_PAOS)) {
    request.log(SPRequest::SPWarn, "acsIndex in request referenced a non-PAOS ACS, using default ACS location");
    ACS = nullptr;
}

Part of #13

The text was updated successfully, but these errors were encountered:

nawatts mentioned this issue Sep 19, 2016

Use urn:ietf:params:xml:ns:samlec AssertionConsumerService Binding #24

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SP support for urn:ietf:params:xml:ns:samlec ACS Binding #25

SP support for urn:ietf:params:xml:ns:samlec ACS Binding #25

nawatts commented Sep 12, 2016 •

edited

SP support for urn:ietf:params:xml:ns:samlec ACS Binding #25

SP support for urn:ietf:params:xml:ns:samlec ACS Binding #25

Comments

nawatts commented Sep 12, 2016 • edited

nawatts commented Sep 12, 2016 •

edited