Using Different SecurityPolicy for different SP's?

Zmuda, Matthew R Matthew.R.Zmuda at td.com
Mon Dec 17 14:00:57 EST 2012


Interesting to know.

So all SP's I support with my IDP must follow the same Security Policies? You mention that is a limitation. Is there plan to ever support multiple Security Polocies?

Thanks.

Matt Zmuda | IT Solutions Developer
DCTS Online Channels - Authentication and Security - CIP/ESR


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, December 17, 2012 1:38 PM
To: Shib Users
Subject: Re: Using Different SecurityPolicy for different SP's?

On 12/17/12 1:28 PM, "Zmuda, Matthew R" <Matthew.R.Zmuda at td.com> wrote:

>Is it possible to use different SecurityPolicy for different SP¹s?

No. One of the more significant V2 limitations.

> 
>What I have noticed is that when I come in on the 
>/profile/SAML2/Unsolicited/SSO URL, Shibboleth creates an AuthNRequest 
>(don¹t completely  understand why?).

Internal implementation detail.

>This request does not have Message Authentication and it is not signed.
>These goes against my current Security policy and fails so I never get 
>to the point where I authenticate user and create a response.

Which is why the documentation notes that you can't use that feature and still require signed requests, but actually that's more in reference to the assumption that one is opening up unsolicited to all SPs and not just one.

It could be that the choice to mock an AuthnRequest to implement the profile handler is actually an additional problem because it runs through the same security code. I can see that were it implemented differently that might enable what you're trying to do, but that isn't how it is done.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions.


More information about the users mailing list