Problem configuring and IdP to support anonymous relying parties

Jon Warbrick jw35 at
Fri Sep 9 12:00:45 BST 2011

On Thu, 1 Sep 2011, Chad La Joie wrote:

> On Sep 1, 2011, at 1:10 PM, Cantor, Scott wrote:
>> On 9/1/11 1:05 PM, "Jon Warbrick" <jw35 at> wrote:
>>> I've added the various <ProfileConfiguration> elements to the
>>> <AnonymousRelyingParty> section of relying-party.xml, and that seems to
>>> be
>>> sufficient to allow an authentication request to proceed, but a
>>> subsequent
>>> attribute request fails with "Authentication via client certificate
>>> failed
>>> for context presenter entity ID ...", followed by "Message did not meet
>>> security requirements". This isn't entirely surprising, since the SP is
>>> using a self-signed certificate and, without metadata, the IdP has no way
>>> to validate it, but it's not what I want. What am I not doing to also
>>> allow attribute queries from anonymous SPs?
>> Possible guess...define a custom security policy and link that to the
>> profile handler in the Anonymous block?
> Yes, that's what you'd have to do.

OK, thanks. But I must be missing something...

I can see the existing <SecurityPolicy> blocks and I think I can see how 
to create modified versions of those for 
id=shibboleth.SAML1AttributeQuerySecurityPolicy and 
id=shibboleth.SAML1ArtifactResolutionSecurityPolicy that will do what I 

But I can't see how to link these back to the profile handlers in the 
<AnonymousRelyingParty> block. According to both the wiki and the default 
config file, neither the <AnonymousRelyingParty> nor 
<ProfileConfiguration> blocks seem to contain anything that references a 
<SecurityPolicy> (indeed, I can't even see how the various default 
<SecurityPolicy>s are linked to their corresponding profile handlers 
unless by implicit, invisible rules).

Please, what am I missing?


Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge

More information about the users mailing list