Adding a SubjectConfirmation for an AttributeQuery

Juhani Gurney juhani at
Mon Nov 26 09:37:48 EST 2012

Cantor, Scott kirjoitti 26.11.2012 kello 16.08:

> On 11/26/12 8:36 AM, "Juhani Gurney" <juhani at> wrote:
>> According to the admins of the service the error is related to the
>> missing SubjectConfirmation element. So my first question is, how do I
>> configure Shib to add...
>> <saml:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
>> Š to the message?
> You can't, that isn't supported. Sender-vouches in SAML is more or less a
> no-op, it really means there is no subject confirmation, so in this
> particular instance it's pretty strange to require it. But no, it's not
> supported.
>> Also, as you can see from the example, the service also expects us to
>> send the userid as an attribute (I don't quite understand why as it is in
>> the NameID). Is there a way of
>> doing that?
> No. You can configure it to request specific attributes or values, per the
> spec, but you can't make that dynamic.
> All of this of course is with the caveat "unless you write your own code".

Ok, thanks for clarifying this!


More information about the users mailing list