Transport confidentiality required, but not available

Rod Widdowson rdw at
Fri Sep 2 13:22:03 BST 2011

I'll not disagree with Tom at all, SAML2 attribute pull is an oddity and should be avoided for performance reasons if nothing

But if you *do* own the IdP then you should ensure either that that code to do attribute push is turned off and the metadata entries
suppressed, or that you get it working.

If you think it's hard getting this working now, imagine how much harder it will be to debug in 6 months when it suddenly breaks in
a demo being given by your boss when you have forgotten all the details of what you did...


> -----Original Message-----
> From: users-bounces at [mailto:users-bounces at] On Behalf Of Tom Scavo
> Sent: 02 September 2011 13:11
> To: Shib Users
> Subject: Re: Transport confidentiality required, but not available
> On Thu, Sep 1, 2011 at 4:28 AM, Rod Widdowson <rdw at> wrote:
> >
> > You therefore need to fix your metadata, fix the IdP or as a final mechanism teach the SP that
> security doesn't matter.
> Adding to Rod's suggestions, you should step back and ask if you
> really want to do attribute query in the first place. It's more
> typical to push encrypted attributes through the browser in SAML2
> flows. That is certainly the path of least resistance, and unless you
> have good reason to want to do attribute query, you should just avoid
> it altogether.
> Tom
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list