Make IdP omit inResponseTo

Nanda Kumar NKK at FISCHERINTERNATIONAL.COM
Tue Jan 24 20:23:59 GMT 2012


Using the shibboleth sso protocol with saml 2, how can the Idp be made to omit the inResponseTo from the response?

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Chad La Joie
Sent: Tuesday, January 24, 2012 3:18 PM
To: Shib Users
Subject: Re: Make IdP omit inResponseTo

I don't know what "it" is, but the documentation for using the Shibboleth SSO requests for SAML are documented with the rest of the IdP documentation.

On Tue, Jan 24, 2012 at 14:48, Nanda Kumar <NKK at fischerinternational.com> wrote:
> How can I get it to work using the shibboleth sso protocol with saml 2?
>
> -----Original Message-----
> From: users-bounces at shibboleth.net 
> [mailto:users-bounces at shibboleth.net] On Behalf Of Chad La Joie
> Sent: Tuesday, January 24, 2012 2:42 PM
> To: Shib Users
> Subject: Re: Make IdP omit inResponseTo
>
> SIDP-461 is discussing the use of the Shibboleth SSO protocol with SAML 2 (previously it only worked for SAML 1).  If you're dealing with a <samlp:AuthnRequest> then you're not dealing with the Shibboleth SSO protocol.  So, you're dealing with the SAML messages then you need to follow the SAML spec.
>
> On Tue, Jan 24, 2012 at 14:34, Nanda Kumar <NKK at fischerinternational.com> wrote:
>> SIDP-461 states
>>
>> "Finally, the whole point of this exercise is to signal that the IdP should omit InResponseTo. We can't do this by the absence of a messageID, because the replay support we added to 2.2.1 mocks up a messageID for legacy protocol requests. Chad suggested using a profile handler option, but I would rather that deployers didn't have to turn this off for all responses from the profile handler, mainly because the SP at some point might start enforcing the InResponseTo check."
>>
>> The intention of this fix as I understand is to selectively send inResponseTo.  How can the Idp be made to omit InResponseTo?
>>
>> Nanda
>>
>> -----Original Message-----
>> From: users-bounces at shibboleth.net
>> [mailto:users-bounces at shibboleth.net] On Behalf Of Chad La Joie
>> Sent: Tuesday, January 24, 2012 2:25 PM
>> To: Shib Users
>> Subject: Re: Make IdP omit inResponseTo
>>
>> If the incoming request contains a request ID the IdP is required to send it back.  There is no way to disable that.
>>
>> On Tue, Jan 24, 2012 at 14:17, Nanda Kumar <NKK at fischerinternational.com> wrote:
>>> Hello,
>>>
>>>     In an Idp Initiated sso scenario, how can I make the IdP to omit 
>>> inResponseTo?
>>>
>>> I have seen SIDP-461,  but couldn't figure out how to make the IdP 
>>> set the unsolicited flag.
>>>
>>> Is that controlled by setting an attribute to the samlp:AuthnRequest 
>>> xml element?
>>>
>>>
>>>
>>> Thanks
>>>
>>> Nanda
>>>
>>>
>>> --
>>> To unsubscribe from this list send an email to 
>>> users-unsubscribe at shibboleth.net
>>
>>
>>
>> --
>> Chad La Joie
>> www.itumi.biz
>> trusted identities, delivered
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
>> --
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
>
>
>
> --
> Chad La Joie
> www.itumi.biz
> trusted identities, delivered
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net



--
Chad La Joie
www.itumi.biz
trusted identities, delivered
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list