Menu
▾
▴
Re: [Unity-idm-discuss] Get Unity SAML SP to sign AuthnRequests
|
From: Krzysztof B. <kb...@un...> - 2017-11-06 21:56:19
|
Hi,
This is little bit inconsistent:
W dniu 03.11.2017 o 20:44, D Baum pisze:
> Hi!
>
> my Unity SAML SP authenticating against a Shibboleth IDP is almost
> working now :-)
> However, I still can't get Unity to sign the AuthnRequests.
>
OK, so Unity is using Shib IdP. From Shib PoV Unity is an *SP*.
> This is my Unity SAML configuration:
>
> unity.saml.requester.defaultSignRequest=true
-> no problem here but this setting will be used only for IdPs which
were not configured with metadata. So in your case - never.
> unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
^ -> this one is Unity's own metadata
> unity.saml.requester.requesterEntityId=https://unity-service-provider
> unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
^ -> this will be config of your trusted IdP. Is this your Shib's IdP
metadata?
> unity.saml.requester.metadataSource.umsso.perMetadataTranslationProfile=MySAMLInputProfile
> unity.saml.requester.metadataPath=unity-sp
> unity.saml.requester.requesterCredential=MYCRED
>
> So I'm configuring both SP and IDP via XML metadata files. The SP
> metadata xml contains this tag:
>
> <md:SPSSODescriptor AuthnRequestsSigned="true"
> WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
This won't configure Unity's SP functioning. This will be only sent as
your server's metadata and you should ensure that this config is
consistent with your server.
> Because of AuthnRequestsSigned="true", the IDP expects signed
> AuthnRequests - but doesn't seem to get them. It complains in its logs
> when I try to log in:
>
> Message did not meet security requirements
> org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest
> was required to be signed but was not
>
> How can I switch on AuthnRequest signing for the Unity SAML SP?
Assuming you configure your trusted IdP with metadata then it is covered
by its SAML metadata. I.e. Shibboleth IdP metadata should tell Unity
that Unity has to sign the request which will be sent to Shib.
WantAuthnRequestsSigned="true" should be in IDP's descriptor.
You can also overwrite this in Unity config, by creating manual entries
for your Shibboleth IdP.
In any case make sure to enable DEBUG logging on configuration and saml
logging facilities. This should help.
HTH,
Krzysztof
|
