Problem configuring and IdP to support anonymous relying parties

Jon Warbrick jw35 at
Thu Sep 1 18:05:31 BST 2011

In the past we ran a Shib 1.3 IdP that accepted authentication and 
attribute requests from anonymous SPs (done by including 
'allowAnonymousProviders="true"' in the <IdPConfig> element). I want to 
replicate this in Shib 2 (2.3.3 currently).

I've added the various <ProfileConfiguration> elements to the 
<AnonymousRelyingParty> section of relying-party.xml, and that seems to be 
sufficient to allow an authentication request to proceed, but a subsequent 
attribute request fails with "Authentication via client certificate failed 
for context presenter entity ID ...", followed by "Message did not meet 
security requirements". This isn't entirely surprising, since the SP is 
using a self-signed certificate and, without metadata, the IdP has no way 
to validate it, but it's not what I want. What am I not doing to also 
allow attribute queries from anonymous SPs?


Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge

More information about the users mailing list