2 Replies Latest reply on Feb 26, 2015 2:30 PM by atomicknight

How is the SAML AuthnRequest issuer set when using the metadata configuration provider?

atomicknight Feb 11, 2015 3:04 PM

I've been experimenting with the picketlink-federation-saml-sp-with-metadata quickstart and have noticed something unexpected about the SAML request sent by PicketLink (acting as a SP). Even though the entity ID is parsed from the SP metadata, the ID is never persisted in the internal data structures and isn't subsequently used when generating requests that are sent to the IdP. Looking at the relevant code, it looks like there's a check to see whether an explicit issuer has been configured, but there is no code anywhere that actually sets the issuer.

Is this the expected behavior? I'm using v2.7.0.CR3 on WildFly 8.2.0.Final.

Thanks!

1. Re: How is the SAML AuthnRequest issuer set when using the metadata configuration provider?

pcraveiro Feb 21, 2015 8:56 AM (in response to atomicknight)

Hey Abraham,

I'm not sure exactly what you mean by "never persisted in the internal data structures". However, the AuthnRequest sent by the SP uses the AssertionConsumerService from the SPSSODescriptor as the issuer. It is pretty much the same thing if you set the ServiceURL in picketlink.xml.

Regards.
Actions
2. Re: How is the SAML AuthnRequest issuer set when using the metadata configuration provider?

atomicknight Feb 26, 2015 2:30 PM (in response to pcraveiro)

Thanks for the response.

To clarify the original question, what I'm asking is whether it would be appropriate for PicketLink to use the entity ID (from the metadata file) rather than the service URL as the issuer ID. It seems like a number of federations use the entity ID rather than the service URL to identify SPs; however, there is no easy way to get PicketLink to do this (because the entity ID is not retained after the metadata is parsed).

Would this be an appropriate feature request?

Thanks!
Actions

Go to original post