SP Key Rollover with IdP encryptAssertions="conditional"

Peter Schober peter.schober at univie.ac.at
Thu Sep 22 23:26:34 BST 2011

* Tom Scavo <trscavo at gmail.com> [2011-09-22 22:27]:
> > Would the above (by Christopher) still work without specifying a use
> > if the SP never signes requests and the IdP pushes attributes to the
> > SP (i.e., no SOAP queries to verify)?
> Yes, but that's a hefty "if". In the InCommon Federation, for example,
> we have data that suggests the vast majority of transactions are still
> SAML1 and I'm fairly certain that almost all of them are doing
> attribute query.

Well, that's not at all the situation here, and statistics do not
factor into my abstract question. Thanks for the anwers.

I also wasn't proposing this as a general solution, I was merely
interested in intellectually "saving" the method suggested, maybe with
an eye towards a couple of SPs (and the IdPs they work with) where I
know these assumptions to hold.

More information about the users mailing list