Discussion:
Another question concerning Ping
Brewer, Edward L
2014-08-29 19:24:07 UTC
Permalink
To all,

I have a vendor who is using Ping Federate and is having issue consuming my metadata for two reasons. Firstly, there are references to SAML 1.1 bindings (this is for my IdP) in one of my SSO Service entries. I looked at the documentation (SAML 2.0 Metadata doc) and it appears that the binding attribute under SSO service should be of complex endpoint type which appears, as far as I can tell from the schema, only needs to be a URI. So I assume it is valid. Next, Ping seems to be looking for <SignatureValue> tag in metadata to pull out the signing cert... in my case it is ds:X509Data. Has anyone else seen this?

Thanks,
Lee

Lee Brewer | Application Developer | Information Technology | Vanderbilt University
lee.brewer-***@public.gmane.org | phone 615.343.2802 | it.vanderbilt.edu<http://it.vanderbilt.edu/>
[Vanderbilt IT logo]
Cantor, Scott
2014-08-29 19:31:37 UTC
Permalink
Post by Brewer, Edward L
I have a vendor who is using Ping Federate and is having issue consuming
my metadata for two reasons. Firstly, there are references to SAML 1.1
bindings (this is for my IdP) in one of my SSO Service entries. I looked
at the documentation (SAML 2.0 Metadata doc) and it appears that the
binding attribute under SSO service should be of complex endpoint type
which appears, as far as I can tell from the schema, only needs to be a
URI. So I assume it is valid.
SAML metadata can express endpoints for any protocol it's profiled to
support. Consuming metadata requires allowing for many different bindings,
roles, protocols, endpoint types, etc, plus straight extensions. All of
that is explicit in the standard.
Post by Brewer, Edward L
Next, Ping seems to be looking for <SignatureValue> tag in metadata to
pull out the signing certÅ  in my case it is ds:X509Data. Has anyone else
seen this?
Somebody, likely not Ping but your vendor, is confusing the credentials
contained in metadata from the signature over it.

I don't know what metadata they're consuming, but providing metadata once
is mostly pointless, they can simply enter the information into Ping the
way it prefers. Metadata is for creating ongoing secure trust
relationships, which requires use of a signature, the validUntil
attribute, and proper constraints on the consuming end, none of which Ping
supports.

In a nutshell, if they're not using a set of tools to automate the secure
import of metadata on a daily basis into Ping, they're wasting their time
anyway and you don't have to bother creating an appropriate metadata
publishing strategy unless you're doing it for other reasons.

-- Scott
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Tom Scavo
2014-08-29 19:32:47 UTC
Permalink
On Fri, Aug 29, 2014 at 3:24 PM, Brewer, Edward L
Post by Brewer, Edward L
I have a vendor who is using Ping Federate and is having issue consuming my metadata for two reasons.
You may want to skim this thread on the InCommon participants list:

https://lists.incommon.org/sympa/arc/participants/2014-08/msg00036.html

Tom
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...