Transport confidentiality required, but not available
Rod Widdowson
rdw at steadingsoftware.com
Fri Sep 2 13:22:03 BST 2011
I'll not disagree with Tom at all, SAML2 attribute pull is an oddity and should be avoided for performance reasons if nothing
else...
But if you *do* own the IdP then you should ensure either that that code to do attribute push is turned off and the metadata entries
suppressed, or that you get it working.
If you think it's hard getting this working now, imagine how much harder it will be to debug in 6 months when it suddenly breaks in
a demo being given by your boss when you have forgotten all the details of what you did...
Rod
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Tom Scavo
> Sent: 02 September 2011 13:11
> To: Shib Users
> Subject: Re: Transport confidentiality required, but not available
>
> On Thu, Sep 1, 2011 at 4:28 AM, Rod Widdowson <rdw at steadingsoftware.com> wrote:
> >
> > You therefore need to fix your metadata, fix the IdP or as a final mechanism teach the SP that
> security doesn't matter.
>
> Adding to Rod's suggestions, you should step back and ask if you
> really want to do attribute query in the first place. It's more
> typical to push encrypted attributes through the browser in SAML2
> flows. That is certainly the path of least resistance, and unless you
> have good reason to want to do attribute query, you should just avoid
> it altogether.
>
> Tom
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list