How to exchange SAML assertion between IDP and SP

Question

Here are the snippet of code for exchanging SAML assertion between IDP and SP, I can get the SAML assertion from IDP, but the code to fetch the SAML assertion from IDP in the SP's side doesn't work.

def exchange_assertion(self):
    """Send assertion to a SP."""
    # sp[u'sp_url'] = http://localhost/Shibboleth.sso/SAML2/ECP
    response = self.session.post(
        sp[u'sp_url'],
        headers={'Content-Type': 'application/vnd.paos+xml'},
        data=self.assertion,
        authenticated=False,
        redirect=False)

    # the status code is 302, so I assume it's okay so far.
    self._check_response(response)

    # sp[u'auth_url'] is url of which points to SP where it expects
    # the saml assertion can be fetched from the context, but 
    # it doesn't unfortunately.
    r = self._handle_http_302_ecp_redirect(self.session, response, sp[u'auth_url'],
                                           method='GET',
                                           headers={'Content-Type':
                                           'application/vnd.paos+xml'})

def _handle_http_302_ecp_redirect(self, session, response, location, method, **kwargs):
    return session.get(location, authenticated=False, **kwargs)

Where I am got stuck is the saml assertion cannot be get from the context['environment']. So, what's going wrong here? Thanks in the advance for any suggestion.

Answer 1

ah, there is some misconfiguration under apache, the issue has been solved.

The configuration in /etc/shibboleth/shibboleth2.xml are configured to use default Application, so I must change the applicationId to 'default' under apache, the configuration looks like this,

<Location ~ "/this is the auth uri/">
    ShibRequestSetting requireSession 1
    AuthType shibboleth
    ShibRequestSetting applicationId default
    #ShibRequireAll On
    #ShibRequireSession On
    ShibExportAssertion Off
    Require valid-user
</Location>

Then it works.