Menu
▾
▴
Re: [Unity-idm-discuss] Get Unity SAML SP to sign AuthnRequests
|
From: D B. <ba...@aw...> - 2017-11-07 14:12:00
|
Hi,
On 06/11/17 22:56, Krzysztof Benedyczak wrote:
>> However, I still can't get Unity to sign the AuthnRequests.
>>
> OK, so Unity is using Shib IdP. From Shib PoV Unity is an *SP*.
Yes
>> unity.saml.requester.defaultSignRequest=true
> -> no problem here but this setting will be used only for IdPs which
> were not configured with metadata. So in your case - never.
OK, good to know - thanks :-)
>> unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
> ^ -> this one is Unity's own metadata
Yes
>> unity.saml.requester.requesterEntityId=https://unity-service-provider
>> unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
>>
> ^ -> this will be config of your trusted IdP. Is this your Shib's IdP
> metadata?
Yes
>> So I'm configuring both SP and IDP via XML metadata files. The SP
>> metadata xml contains this tag:
>>
>> <md:SPSSODescriptor AuthnRequestsSigned="true"
>> WantAssertionsSigned="true"
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>
> This won't configure Unity's SP functioning. This will be only sent as
> your server's metadata and you should ensure that this config is
> consistent with your server.
By server you mean Unity?
I think I'm just not very clear on what parts of unity are configureable
through metadata. I had assumed that Unity would configure its SAML SP
from the SP metadata. But it seems you're saying: SP metadata isn't used
to configure Unity at all but just served at the configured metadata
URL. Is that correct?
So if I have
<SPSSODescriptor WantAssertionsSigned="true" ...>
in my SP metadata, I should also use this configuration parameter?
unity.saml.requester.requireSignedAssertion=true
> Assuming you configure your trusted IdP with metadata then it is covered
> by its SAML metadata. I.e. Shibboleth IdP metadata should tell Unity
> that Unity has to sign the request which will be sent to Shib.
> WantAuthnRequestsSigned="true" should be in IDP's descriptor.
Thanks! That helped, now my Unity SAML SP is signing its AuthnRequests! :-)
I guess adding config option for this for the Unity SP would be
considered fluff since signing AuthnRequests is of little use if the IDP
doesn't enforce signed AuthnRequests?
> You can also overwrite this in Unity config, by creating manual entries
> for your Shibboleth IdP.
But in that case I have to configure *everything* about this IDP through
the Unity config (and not with metadata), right?
> In any case make sure to enable DEBUG logging on configuration and saml
> logging facilities. This should help.
Thanks, using DEBUG on configuration is really helpful :-)
Thanks,
D.
|
