SAML2 Attribute Query

Cantor, Scott cantor.2 at
Sun Nov 4 16:46:49 EST 2012

On 11/4/12 1:17 PM, "Mike Wiseman" <mike.wiseman at> wrote:

>I'm configuring a commercial service provider to work with our shib IdP.
>The SP wants to use the SAML 2 artifact resolution profile and insists
>that the authn and attribute transactions be handled over one port - 443.

That's not the same as attribute query. Artifact resolution is not an
attribute query, that's a completely different profile.

> I don't know why - perhaps they're using something other than shib for
>the SP.  I'm sure the answer to this is no but since I haven't seen any
>use of artifact resolution in SAML 2, just want to confirm.

I'm not sure what you're asking. As far as the port issue, it's not
impossible to use 443, but that depends on the software involved, how
client cert configuration is done. Limiting client authentication to
specific URLs requires TLS renegotiation, which has a lot of technical
issues associated with it from security flaws in recent years. I don't
even pretend to know the state of all that.

The IdP itself knows nothing about it. It just expects client authn to be
there for requests to the resolution profile handler and if they're not
(and the request isn't signed as a substitute), it will reject it.

Generally when you use the front channel port for this, one does message
signing instead of client TLS.

-- Scott

More information about the users mailing list