2:32 p.m.
Dear all,
Does the SATOSA front end support HTTP-POST bindings? It isn't clear
from the code or documentation whether a HTTP-POST binding is supported
by the front end---or if it is, how to configure it.
I want to integrate Tableau with our VO, but it's throwing the following
error:
HTTP Status 500 -
org.opensaml.saml2.metadata.provider.MetadataProviderException: User
specified binding is not supported by the Identity Provider using
profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
The IdP metadata for SATOSA includes a HTTP-Redirect binding:
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://satosa/Saml2/sso/redirect"/>
According to this support forum thread, the solution is to specify a
HTTP-POST binding:
https://community.tableau.com/thread/145569
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
2:46 p.m.
Hi Matthew,
The different frontends are configured as their underlying
implementation allows. The SAML frontend is based on pysaml2 [0], so
you should be looking there for the appropriate setting.
In this case you should probably look at the 'preferred_binding'
configuration option. Documentation provided here[1] until it is
merged in the main repository.
[0]: https://github.com/rohe/pysaml2
[1]:
https://github.com/c00kiemon5ter/pysaml2/blob/6a7c7fac081d1b380e75f69ce4329…
Cheers,
On 7 September 2017 at 17:32, Matthew X. Economou <xenophon at irtnog.org> wrote:
Dear all,
Does the SATOSA front end support HTTP-POST bindings? It isn't clear
from the code or documentation whether a HTTP-POST binding is supported
by the front end---or if it is, how to configure it.
I want to integrate Tableau with our VO, but it's throwing the following
error:
HTTP Status 500 -
org.opensaml.saml2.metadata.provider.MetadataProviderException: User
specified binding is not supported by the Identity Provider using
profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
The IdP metadata for SATOSA includes a HTTP-Redirect binding:
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://satosa/Saml2/sso/redirect"/>
According to this support forum thread, the solution is to specify a
HTTP-POST binding:
https://community.tableau.com/thread/145569
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
_______________________________________________
Satosa-dev mailing list
Satosa-dev at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-dev
--
Ivan Kanakarakis
3:09 p.m.
Ivan Kanakarakis writes:
In this case you should probably look at the
'preferred_binding'
configuration option.
It isn't clear from the linked code/documentation where to change this setting. Do I
set this in .../plugins/saml2_frontend.yaml in the config:idp_config dictionary? I also
see a key named config:idp_config:service:idp:endpoints:single_sign_on_service, currently
set to the empty list (`[]`).
--
"The lyf so short, the craft so longe to lerne."
5:14 p.m.
Am 07.09.2017 um 17:09 schrieb Matthew X. Economou
<xenophon at irtnog.org>:
Ivan Kanakarakis writes:
the config:idp_config key in SaToSa maps to CONFIG in the Pysaml2 example that Ivan
mentioned. At this place you can define the various endpoints. I have used HTTP/POST
binding for AuthnRequests in the past with pysaml2.
In this case you should probably look at the
'preferred_binding'
configuration option.
It isn't clear from the linked code/documentation where to change this setting. Do I
set this in .../plugins/saml2_frontend.yaml in the config:idp_config dictionary? I also
see a key named config:idp_config:service:idp:endpoints:single_sign_on_service, currently
set to the empty list (`[]`).
12:14 a.m.
Rainer Hoerbe writes:
the config:idp_config key in SaToSa maps to CONFIG in
the Pysaml2
example that Ivan mentioned. At this place you can define the various
endpoints. I have used HTTP/POST binding for AuthnRequests in the past
with pysaml2.
Like the following?
config:
idp_config:
preferred_binding:
single_sign_on_service:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Or is there more to the configuration than that?
--
"The lyf so short, the craft so longe to lerne."
3:12 p.m.
Am 08.09.2017 um 02:14 schrieb Matthew X. Economou
<xenophon at irtnog.org>:
Rainer Hoerbe writes:
You need to configure endpoints to generate complete metadata. For the moment I can only
copy paste a JSON config file from a predecessor of SaToSa:
BASE = "https://%s:%s" % (HOST, PORT)
...
"idp": {
"name": "Test PEFIM IdP",
"want_authn_requests_signed": True,
"want_authn_requests_only_with_valid_cert": True,
"sign_response": True,
"sign_assertion": False,
"verify_encrypt_cert": verify_encrypt_cert,
"encrypt_assertion": True,
"endpoints": {
"single_sign_on_service": [
("%s/sso/redirect" % BASE, BINDING_HTTP_REDIRECT),
("%s/sso/post" % BASE, BINDING_HTTP_POST),
("%s/sso/art" % BASE, BINDING_HTTP_ARTIFACT),
("%s/sso/ecp" % BASE, BINDING_SOAP)
],
"single_logout_service": [
("%s/slo/soap" % BASE, BINDING_SOAP),
("%s/slo/post" % BASE, BINDING_HTTP_POST),
("%s/slo/redirect" % BASE, BINDING_HTTP_REDIRECT)
],
},
Do not take this snippet verbatim, use it for orientation only.
- Rainer
the config:idp_config key in SaToSa maps to
CONFIG in the Pysaml2
example that Ivan mentioned. At this place you can define the various
endpoints. I have used HTTP/POST binding for AuthnRequests in the past
with pysaml2.
Like the following?
config:
idp_config:
preferred_binding:
single_sign_on_service:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Or is there more to the configuration than that?
2444
days inactive
2445
days old
5 comments
3 participants
participants (3)
-
ivan@grnet.gr -
rainer@hoerbe.at -
xenophon@irtnog.org