<HTML dir=ltr><HEAD></HEAD>
<BODY style="WORD-WRAP: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space">
<DIV id=idOWAReplyText18480 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>
<DIV id=idOWAReplyText25418 dir=ltr>
<DIV dir=ltr><FONT face="Courier New" color=#000000 size=2>Copy of email sent to shibboleth-users group follows, on making shib2 package act as an ECP/PAOS-capable SP (to generate the EnvelopedAuthRequest, at least) in Windows/IIS. Not clear the shib exploder has distributed the original mail from Saturday, so its included here.</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New">My plan is thus : </FONT></DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New">1. wait till to Wed to try building/launching again the ECP plugin</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New">2. run it against my working IIS7/Shib2 SP</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New">3. have to talk to PingFederate 5.02 as IDP, using SAML2.SOAP binding.</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New">(3) seems the part most at risk now, as I'm not sure I can get PingFed to issue a SOAP response that has the Enveloped form required by tjhe ECP proxy. Ill play tho. Ping are unsupportive on all this work (and wont even release hints); so its trial and error, for me. T&D may well fail, and I may have to go build the Shib2 Java IDP, to compensate.</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New">Peter W.</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New"></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New">---------------------</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" color=#000000 size=2>To allow IIS7 (via the shib_isapi handler) to invoke the NativeSP in "handler" mode (so Shib2 act as a layer 5 protocol engine, rather than web-session middleware) and then support a trial generting a SAMLRequest using ECP and PAOS, I did the following</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2>1. in isapi src, alter code lines as follows</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" color=#000000 size=2> A pair<bool,long> res = stf.getServiceProvider().doAuthentication(stf, true); // note true for 2nd parm</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2> B dynabuf handlervar(256); // define val as global, and have CRT static alloc space</FONT></DIV>
<DIV dir=ltr><BR><FONT face="Courier New" size=2> C GetHeader(pn,pfc,"url",handlervar,256,false); // add line to ShibTargetIsapiF constructor, after existing GetHeader(url). Fast hack to store inbound querystring as global char* in handlervar</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2> D // The filter never processes the POST, so stub these methods.<BR> const char* getQueryString() const { <BR> return (char*)handlervar; // implement using nasty hack, for use by CGIReader<BR> // throw IOException("getQueryString not implemented"); // comment away not implemented throw<BR> }</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><BR><FONT face="Courier New" size=2>2. in isapi src, comment out any undesirable, "non protocol" features</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2> g_Config->setFeatures(<BR> SPConfig::Listener |<BR> // SPConfig::Caching | //disable caching support in library<BR> SPConfig::RequestMapping |<BR> SPConfig::InProcess |<BR> SPConfig::Logging |<BR> SPConfig::Handlers<BR> );</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV><FONT color=#000000></FONT></DIV>
<P><FONT face="Courier New" color=#000000 size=2>3. In a shibboleth2.xml SP config file generated by TestShib harness, ensure default SessionInitiator has (undocumented) attribute ECP="true"</FONT></P>
<P><FONT face="Courier New" color=#000000 size=2> <SessionInitiator type="SAML2" Location="/TestShib" ECP="true" </FONT></P>
<P><FONT face="Courier New" color=#000000 size=2> // note case sensitivity of ECP</FONT></P>
<P><FONT face="Courier New" size=2></FONT><FONT color=#000000> </P>
<DIV dir=ltr><FONT face="Courier New" size=2>4. Invoke trial usin tool like curl(1) ...using GET to induce protocol run, where providerId parameter is demonstrably set to "none" to showcase the ECP scenario. Run-time mux/demux requirements for trial varied by changing "TestShib" and applicationId=<val>. Invokes protocol engine for layer 5 S-SDU/initiate, in raw mode.</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2> </FONT><A href="https://webmail.rapattoni.com/exchweb/bin/redir.asp?URL=https://win8pw.rapattoni.local/Shibboleth.sso/TestShib?applicationId=default%26providerId=none" target=_blank><FONT face="Courier New" size=2>https://win8pw.rapattoni.local/Shibboleth.sso/TestShib?applicationId=default&providerId=none</FONT></A><BR></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2>5. Ensure HTTP Request has conforming http request headers (taken verbatim from SAML2 documentation/latest-errata) </FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2> Accept: text/html; application/vnd.paos+xml<BR> PAOS: ver="urn:liberty:paos:2003-08” ; "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"</FONT></DIV></FONT>
<DIV dir=ltr><FONT face="Courier New" color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2>Unless I missed some of my code hacks, this produces a trial as follows. Since this is the first time in 12 months of trying with 3 windows products that I've got this far with ECP ...Im pretty happy with Shib2! Thanks!</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV dir=ltr><FONT face="Courier New" size=2>GET /Shibboleth.sso/TestShib?applicationId=default&providerId=none HTTP/1.1<BR>Accept-Language: en-us,en-securid<BR>UA-CPU: x86<BR>Accept-Encoding: gzip, deflate<BR>User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)<BR>Connection: Keep-Alive<BR>Host: win8pw.rapattoni.local<BR>Accept: text/html; application/vnd.paos+xml<BR>PAOS: ver="urn:liberty:paos:2003-08" ; "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"</FONT></DIV>
<DIV dir=ltr><BR><FONT face="Courier New" size=2>HTTP/1.1 200 OK<BR>Cache-Control: no-cache, no-store, must-revalidate, private<BR>Pragma: no-cache<BR>Content-Type: application/vnd.paos+xml<BR>Server: Microsoft-IIS/7.0<BR>X-Powered-By: ASP.NET<BR>Date: Sat, 26 Apr 2008 22:30:38 GMT<BR>Connection: close<BR>Content-Length: 1515</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2><S:Envelope xmlns:S="</FONT><A href="https://webmail.rapattoni.com/exchweb/bin/redir.asp?URL=http://schemas.xmlsoap.org/soap/envelope/%2522%253E%253CS:Header%253E%253Cpaos:Request" target=_blank><FONT face="Courier New" size=2>http://schemas.xmlsoap.org/soap/envelope/"><S:Header><paos:Request</FONT></A><FONT face="Courier New" size=2> xmlns:paos="urn:liberty:paos:2003-08" S:actor="</FONT><A href="https://webmail.rapattoni.com/exchweb/bin/redir.asp?URL=http://schemas.xmlsoap.org/soap/actor/next" target=_blank><FONT face="Courier New" size=2>http://schemas.xmlsoap.org/soap/actor/next</FONT></A><FONT face="Courier New" size=2>" S:mustUnderstand="1" responseConsumerURL="</FONT><A href="https://webmail.rapattoni.com/exchweb/bin/redir.asp?URL=http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP" target=_blank><FONT face="Courier New" size=2>http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP</FONT></A><FONT face="Courier New" size=2>" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0" S:actor="</FONT><A href="https://webmail.rapattoni.com/exchweb/bin/redir.asp?URL=http://schemas.xmlsoap.org/soap/actor/next" target=_blank><FONT face="Courier New" size=2>http://schemas.xmlsoap.org/soap/actor/next</FONT></A><FONT face="Courier New" size=2>" S:mustUnderstand="1"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://win8pw.rapattoni.local/shibboleth-sp</saml:Issuer><samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:IDPEntry ProviderID="none"/></samlp:IDPList></ecp:Request><ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:actor="</FONT><A href="https://webmail.rapattoni.com/exchweb/bin/redir.asp?URL=http://schemas.xmlsoap.org/soap/actor/next" target=_blank><FONT face="Courier New" size=2>http://schemas.xmlsoap.org/soap/actor/next</FONT></A><FONT face="Courier New" size=2>" S:mustUnderstand="1"/></S:Header><S:Body><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="</FONT><A href="https://webmail.rapattoni.com/exchweb/bin/redir.asp?URL=http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP" target=_blank><FONT face="Courier New" size=2>http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP</FONT></A><FONT face="Courier New" size=2>" ID="_f5c9b87a8863ad2f94c7be25b5522cc3" IssueInstant="2008-04-26T22:30:38Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://win8pw.rapattoni.local/shibboleth-sp</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/><samlp:Scoping><samlp:IDPList><samlp:IDPEntry ProviderID="none"/></samlp:IDPList></samlp:Scoping></samlp:AuthnRequest></S:Body></S:Envelope></FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV></BLOCKQUOTE>
<DIV id=idSignature142 dir=ltr>
<DIV><FONT face=Arial color=#000000 size=2><SPAN style="FONT-SIZE: 7.5pt"><FONT face="Courier New">_________________________</FONT><BR></SPAN><B>Peter Williams<BR></B><SPAN style="FONT-SIZE: 7.5pt">Chief Information Security Officer<BR>Mobile (805) 416-6305</SPAN></FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Peter Williams<BR><B>Sent:</B> Sat 4/26/2008 1:11 PM<BR><B>To:</B> shibboleth-users@internet2.edu<BR><B>Subject:</B> RE: TestShib not responding to ACSURL<BR></FONT><BR></DIV>
<DIV dir=ltr>
<DIV id=idOWAReplyText12754 dir=ltr><FONT face=Arial color=#000000 size=2>
<DIV dir=ltr>I've moved on in my experiment (changing Shib2 code to suit), hopefully exploiting a response on a different thread. It noted that one can initiate a (SAML2) protocol handler using URIs of the form:</FONT></DIV></DIV></DIV></FONT></DIV></DIV></BODY></HTML>