<HTML dir=ltr><HEAD><TITLE>RE: [wsf-dev] ECP plugin build/execute feedback</TITLE></HEAD>
<BODY>
<DIV id=idOWAReplyText44897 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Peter Williams<BR><B>Sent:</B> Tue 4/29/2008 12:30 PM<BR><B>To:</B> shibboleth-users@internet2.edu<BR><B>Subject:</B> RE: [wsf-dev] ECP plugin build/execute feedback<BR></FONT><BR></DIV></DIV>
<DIV dir=ltr>
<DIV id=idOWAReplyText35840 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>SHib2 as generator of ECP Request is all working nicely now. Ill focus on generating an ECP response now, and having it sent to Shib2.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>- no src changes required, whatsoever, even for debugging.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>- having built the isap_shib from src (with only minor build errors if one uses the src rpm, and probably none if one checks out from SVN), one need merely point IIS' shib filter and shib handler each to the isap_shib dll (and supporting files) in the src/Debug/ directory. Then attach the free visual studio debugger in native mode to the relevant IIS7 worker pool process. (life is made easier here, if the Shib ISAPI is configured to invoke its unique own worker pool .) Once symbols are loaded and debug traps are set, the debugger will intercept the SP shib2 runtime for the next request one puts through the pipeline. All very easy indeed, once one knows how!</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>- to use Shib in handler mode on IIS7, understand that the logic first passes through the isapi filter before hitting the isapi extension (acting as handler). When the form of the URI request indicates "do handler", the filter detects that it should do little leaving all the handling work to the extension, even for request phase handling. Again, all obvious and very natural, once you figure it out.</FONT></DIV></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>- the easiest configuration so far for ECP was to simply duplicate the TestShib/ SessionInitiator, re-naming it all as /ECP initiator with id="ECP" . Optionally, set ECP=true as an attribute. Then I added a sampl:AuthRequest value as child of the Initiator object, exactly as stated. Its used and all works fine during a protocol run, putting IDPList in both the AuthnRequest on the wire, and in the ECP Request header on the wire.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>- if one uses the ECP=true attribute on the Initiator, one does not even need to have PAOS and Accept headers in the HTTP request to generate the ECP request. This makes invoking the system from a classical browser a pleasure. </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>- the default RelayState value seems to get picked up from the HomeURL of the initiator, but this (default) not put on the wire. Presumably, I could put a value in my template value.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>- the ACS URL picked up and stuffed into the wire message is indirectly configured - using the initiator's acsIndex attribute. This must point to a PAOS endpoint (obviously) in the parent element, whose URL is stuffed into the AuthnRequest properly.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>- one invokes the run with a simple URL. e..g. <A href="http://win8pw.rapattoni.local/Shibboleth.sso/ECP" target=_blank>http://win8pw.rapattoni.local/Shibboleth.sso/ECP</A></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> <SessionInitiator type="SAML2" Location="/ECP" ECP="true" isDefault="false" acsByIndex="false" defaultACSIndex="2" id="ECP"<BR> entityID="<A href="https://idp.testshib.org/idp/shibboleth" target=_blank>https://idp.testshib.org/idp/shibboleth</A>" ><BR> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" <BR> AssertionConsumerServiceURL="<A href="http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP" target=_blank>http://win8pw.rapattoni.local/Shibboleth.sso/SAML2/ECP</A>" <BR> ID="_5362a76e1a2e932b3636685a06e8d75f" IssueInstant="2008-04-29T18:26:16Z" <BR> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"><BR> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://win8pw.rapattoni.local/shibboleth-sp</saml:Issuer><BR> <samlp:NameIDPolicy AllowCreate="1"/><BR> <samlp:Scoping><BR> <samlp:IDPList><BR> <samlp:IDPEntry ProviderID="<A href="https://idp.testshib.org/idp/shibboleth%22/" target=_blank>https://idp.testshib.org/idp/shibboleth%22/</A>><BR> <samlp:IDPEntry ProviderID="<A href="https://idp.testshib.org/idp/shibboleth2%22/" target=_blank>https://idp.testshib.org/idp/shibboleth2%22/</A>><BR> <samlp:IDPEntry ProviderID="<A href="https://idp.testshib.org/idp/shibboleth3%22/" target=_blank>https://idp.testshib.org/idp/shibboleth3%22/</A>><BR> </samlp:IDPList><BR> </samlp:Scoping><BR> </samlp:AuthnRequest><BR> </SessionInitiator></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><BR> </DIV>
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr><FONT face=Tahoma size=2><B>From:</B> Scott Cantor<BR><B>Sent:</B> Tue 4/29/2008 10:24 AM<BR><B>To:</B> shibboleth-users@internet2.edu<BR><B>Subject:</B> RE: [wsf-dev] ECP plugin build/execute feedback<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>> The wiki documentation on Shib2 says that the template AuthRequest<BR>> configuration - that provides for "Advanced Authentication Requesting" -<BR>> is an "HTML" structured document. Is this correct, or should it simply<BR>> indicate that the file contains the XML of an AuthRequest?<BR><BR>Different feature. That's the template attribute, not the template I was<BR>talking about. I meant template in the generic sense, sorry.<BR><BR>> For example, if I take an AuthRequest put into the debug-events list of<BR>> the shib log file, that would presumably be what I put into the template<BR>> file. I would not really expect to HTML-ise that, in any way, would I?<BR><BR>No. There should be a child element discussion in that same spot, different<BR>subsection. I'm going to put an example in the wiki when I get a chance.<BR><BR>-- Scott<BR><BR><BR></FONT></P></DIV></DIV></BODY></HTML>