Add ignoreNoPassive attribute to SSO element
Description
Environment
N/A
Activity
Scott Cantor December 10, 2012 at 7:13 PM
Closing with release.
Scott Cantor November 29, 2012 at 1:58 AM
http://svn.shibboleth.net/view/cpp-sp?rev=3822&view=rev
Linefeed fixed. The other question is just my mistake, I wasn't looking at the code right.
Scott Cantor November 28, 2012 at 9:03 PM
I'll look at the newline, no need to file anything. I was hoping I was right about the old behavior because now I need to know why it would be different in 2.5. Hopefully it's just a code change/regression that I'll spot quickly, but I need to know before I close it.
Christopher Bongaarts November 28, 2012 at 5:03 PM
It works (RelayState is resolved) with redirectErrors and relayState="ss:mem" on SP 2.4.3:
GET
now: Wed Nov 28 10:50:59 2012
requestURL: https://shib-dev.oit.umn.edu/Shibboleth.sso/SAML2/POST
errorType: opensaml::FatalProfileException
errorText: SAML response contained an error.
RelayState: https://shib-dev.oit.umn.edu/passive/
entityID: https://shib-dev.oit.umn.edu/idp/shibboleth
statusCode: urn:oasis:names:tc:SAML:2.0:status:Responder
statusCode2: urn:oasis:names:tc:SAML:2.0:status:NoPassive
The actual value of RelayState on the SAML POST was:
RelayState: ss:mem:3512bb1816aa0e2be30add5175ac7d7b
I guess the newline at the end of the now parameter could be considered a bug? (I can file a new issue if needed)
Scott Cantor November 28, 2012 at 4:58 AM
http://svn.shibboleth.net/view/cpp-sp?rev=3821&view=rev
Patch propagates all XML attribute proprerties from the <SSO>, etc. elements into the manufactured endpoint elements. Also patches property lookup of the cases I identified to allow either qualified or unqualified names.
Also adds missing schema definitions for various settings.
Finally, this seemed not to work in that RelayState was not being converted back into a resource before the redirect was issued if the ignore setting is on.
I think this also would have prevented the redirectErrors option from seeing a recovered RelayState, I would guess it would have just seen the opaque value (ss:mem:nnnn, cookie:nnnn, etc.). This should fix that also and get the target URL passed into the error handler in the RelayState parameter.
When you tested this with the redirection option for errors, what were you seeing in the RelayState parameter?
The <md:AssertionConsumerService> configuration element takes an optional attribute conf:ignoreNoPassive to allow the SP to treat passive login failures as successful (useful for "opportunistic" SSO with a single IdP).
It would be helpful if this were exposed on the <SSO> configuration element shortcut/macro so that one needn't generate ACS elements by hand just to use ignoreIsPassive.
(Even better if the conf: namespace prefix could be omitted