Problem configuring and IdP to support anonymous relying parties

Jon Warbrick jw35 at
Mon Sep 12 18:17:01 BST 2011

On Fri, 9 Sep 2011, Cantor, Scott wrote:

> One of my pet peeves with the current IdP config, it uses defaults in the
> schemas and some of them are actually set to the ID values of other beans.
> This is one such case.

Right, I see. I agree, this is something that makes configuring Shibboleth 
unnecessarily difficult. This confusion has probably consumed an elapsed 
day of my time trying to understand it, and contributed an elapsed week's 
delay to an already overrunning project.

> The attribute is securityPolicyRef on the profile config elements.
> I don't know if it's documented or not.

Thanks. As far as I can tell it isn't.

> Always look at the schemas when in doubt.

Noted, though they are not easy to find. The only place I could find them 
for the IdP was in the cvs source repository, and even there you need to 
know or guess which component (java-shib-common in this case) 'owns' the 
relevant schema file.

I understand the constraints (and I'll do my best to extend the Wiki 
documentation in this area), but ideally I don't think a Shib deployer 
shouldn't need a copy of the svn source...


Jon Warbrick
Information Systems Development, Computing Service, University of Cambridge

More information about the users mailing list