Adding a SubjectConfirmation for an AttributeQuery

Cantor, Scott cantor.2 at
Mon Nov 26 09:08:02 EST 2012

On 11/26/12 8:36 AM, "Juhani Gurney" <juhani at> wrote:
>According to the admins of the service the error is related to the
>missing SubjectConfirmation element. So my first question is, how do I
>configure Shib to add...
>Š to the message?

You can't, that isn't supported. Sender-vouches in SAML is more or less a
no-op, it really means there is no subject confirmation, so in this
particular instance it's pretty strange to require it. But no, it's not

>Also, as you can see from the example, the service also expects us to
>send the userid as an attribute (I don't quite understand why as it is in
>the NameID). Is there a way of
> doing that?

No. You can configure it to request specific attributes or values, per the
spec, but you can't make that dynamic.

All of this of course is with the caveat "unless you write your own code".

-- Scott

More information about the users mailing list