Profile Configuration and meaning of "conditional" setting

Chad La Joie lajoie at itumi.biz
Fri Apr 27 12:45:24 BST 2012 

The message will be encrypted if the message is not sent directly to
the peer over a transport channel that provides confidentiality.

So, if you're doing an SAML 2 authn request, the message is *not*
being sent to the peer, it's being sent to the user agent and so the
condition is not met and XML encryption is required.

On Fri, Apr 27, 2012 at 07:39, Lukas Hämmerle <lukas.haemmerle at switch.ch> wrote:
> Hello all
>
> Since I have not found a wiki page about that I ask here. What exactly
> is happening when in the relying-party.xml of an IdP a profile
> configuration has set: encryptAssertions="conditional"
>
> Based on what condition will an assertion be encrypted exactly? I'm
> debugging an issue where an SP in metadata has now embedded
> certificates. The IdP then complains " Could not resolve a key
> encryption credential for peer entity". However, the assertion is sent
> via https to the peer entity and according to
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPXMLSigEnc I
> would assume that in this case the assertion encryption is not necessary.
>
> According to the method isEncryptAssertion of
> http://svn.shibboleth.net/view/java-shib-idp2/branches/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java?view=markup
>
> encryption is only applied in the conditional case if
> encoder.providesMessageConfidentiality(requestContext) is false. So, the
> question is based on what conditions this method returns true or false.
> Is returning the assertion via https sufficient to make this method
> return true?
>
> Kind Regards
> Lukas
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Lukas Hämmerle, Central Solutions
> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> phone +41 44 268 15 05, direct +41 44 268 15 64
> lukas.haemmerle at switch.ch, http://www.switch.ch
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net



-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered

More information about the users mailing list