Forum Stats

  • 3,836,743 Users
  • 2,262,177 Discussions
  • 7,900,092 Comments

Discussions

APEX 21.2 SAML Authentication with Shibboleth IdP

sbrennan
sbrennan Member Posts: 25 Blue Ribbon
edited Jan 19, 2022 11:04AM in APEX Discussions

Hi

Has anybody successfully configured saml authN with a Shibboleth IdP (or any Idp for that matter, no luck with WSO2 Identity Server because of bug #33670264)

The AuthnRequest POST request from APEX to the Shibboleth IdP does not contain a "Destintation" attribute in the <samlp:AuthnRequest .../> element and so fails with the message:

Looking at the logs for the Shibboleth IdP I see the messages:

shib-idp;idp-process.log;dev;nothing;2022-01-19 10:41:43,377 - 172.19.0.1 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:170] - Message Handler: SAML message intended destination endpoint URI required by binding was empty

shib-idp;idp-warn.log;dev;nothing;2022-01-19 10:41:43,377 - 172.19.0.1 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:170] - Message Handler: SAML message intended destination endpoint URI required by binding was empty

shib-idp;idp-warn.log;dev;nothing;2022-01-19 10:41:43,378 - 172.19.0.1 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:197] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message

shib-idp;idp-warn.log;dev;nothing;org.opensaml.messaging.handler.MessageHandlerException: SAML message intended destination (required by binding) was not present

As you can see the "destintation" attribute is missing and is required by Shibboleth IdP.

I checked using a POST from a Shibboleth SP to a Shibboleth IdP and sure enough a Destinstaionn attribute is present in the AuthnRequest

Checking the Request from APEX to the Shibboleth IdP no destination attribute exists

Thanks

Stephen

Best Answer

Answers