Problem configuring and IdP to support anonymous relying parties
Jon Warbrick
jw35 at cam.ac.uk
Thu Sep 1 18:05:31 BST 2011
In the past we ran a Shib 1.3 IdP that accepted authentication and
attribute requests from anonymous SPs (done by including
'allowAnonymousProviders="true"' in the <IdPConfig> element). I want to
replicate this in Shib 2 (2.3.3 currently).
I've added the various <ProfileConfiguration> elements to the
<AnonymousRelyingParty> section of relying-party.xml, and that seems to be
sufficient to allow an authentication request to proceed, but a subsequent
attribute request fails with "Authentication via client certificate failed
for context presenter entity ID ...", followed by "Message did not meet
security requirements". This isn't entirely surprising, since the SP is
using a self-signed certificate and, without metadata, the IdP has no way
to validate it, but it's not what I want. What am I not doing to also
allow attribute queries from anonymous SPs?
Jon.
--
Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge
More information about the users
mailing list