Add ignoreNoPassive attribute to SSO element

Description

The <md:AssertionConsumerService> configuration element takes an optional attribute conf:ignoreNoPassive to allow the SP to treat passive login failures as successful (useful for "opportunistic" SSO with a single IdP).

It would be helpful if this were exposed on the <SSO> configuration element shortcut/macro so that one needn't generate ACS elements by hand just to use ignoreIsPassive.

(Even better if the conf: namespace prefix could be omitted

Environment

N/A

Activity

Scott Cantor 
December 10, 2012 at 7:13 PM

Closing with release.

Scott Cantor 
November 29, 2012 at 1:58 AM

http://svn.shibboleth.net/view/cpp-sp?rev=3822&view=rev

Linefeed fixed. The other question is just my mistake, I wasn't looking at the code right.

Scott Cantor 
November 28, 2012 at 9:03 PM

I'll look at the newline, no need to file anything. I was hoping I was right about the old behavior because now I need to know why it would be different in 2.5. Hopefully it's just a code change/regression that I'll spot quickly, but I need to know before I close it.

Christopher Bongaarts 
November 28, 2012 at 5:03 PM

It works (RelayState is resolved) with redirectErrors and relayState="ss:mem" on SP 2.4.3:

GET
now: Wed Nov 28 10:50:59 2012

requestURL: https://shib-dev.oit.umn.edu/Shibboleth.sso/SAML2/POST
errorType: opensaml::FatalProfileException
errorText: SAML response contained an error.
RelayState: https://shib-dev.oit.umn.edu/passive/
entityID: https://shib-dev.oit.umn.edu/idp/shibboleth
statusCode: urn:oasis:names:tc:SAML:2.0:status:Responder
statusCode2: urn:oasis:names:tc:SAML:2.0:status:NoPassive

The actual value of RelayState on the SAML POST was:

RelayState: ss:mem:3512bb1816aa0e2be30add5175ac7d7b

I guess the newline at the end of the now parameter could be considered a bug? (I can file a new issue if needed)

Scott Cantor 
November 28, 2012 at 4:58 AM

http://svn.shibboleth.net/view/cpp-sp?rev=3821&view=rev

Patch propagates all XML attribute proprerties from the <SSO>, etc. elements into the manufactured endpoint elements. Also patches property lookup of the cases I identified to allow either qualified or unqualified names.

Also adds missing schema definitions for various settings.

Finally, this seemed not to work in that RelayState was not being converted back into a resource before the redirect was issued if the ignore setting is on.

I think this also would have prevented the redirectErrors option from seeing a recovered RelayState, I would guess it would have just seen the opaque value (ss:mem:nnnn, cookie:nnnn, etc.). This should fix that also and get the target URL passed into the error handler in the RelayState parameter.

When you tested this with the redirection option for errors, what were you seeing in the RelayState parameter?

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created November 26, 2012 at 5:07 PM
Updated December 10, 2012 at 7:13 PM
Resolved November 29, 2012 at 1:58 AM