unencrypted assertions not working

Peter Schober peter.schober at univie.ac.at
Wed Apr 3 05:39:31 EDT 2013


* lalithj <j_lalith at hotmail.com> [2013-04-03 09:19]:
> We got a new SP requirment that they need unencrypted assertions, am
> not sure whether this is the best practice or not(which is a
> seperate question)

Sending anything that's not essentially public information unencrypted
won't be best practice. Just how bad it is depends on the content and
a couple of other factors (security of the environment the HTTP user
agent runs in, security of the network, etc.).
If all the assertion contains is e.g. a SAML2 persistent NameID and,
say, an eduPersonScopedAffiliation value many will find that tolerable.

> Issue is, instead of changing the default relying party, I introduce
> a new relying party for the SP as shown below in relying-party.xml,
> where https://clientsptest.com is the entityId of the sp Meta data,
> but with this integration fails, what could be the reason, do I have
> to configure elswhere or am I missing anything

No idea what "integration fails" means.
The documentation for adding a custom relying party is at
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPRelyingParty

>  <rp:RelyingParty id="https://clientsptest.com"
>               provider="https://ouridp.com/idp/shibboleth"
> defaultSigningCredentialRef="IdPCredential">

If the setting seemingly has no effect the id is probably off.
Set the loglevel to DEBUG and the IdP will tell you exactly what rules
are in effect for any given RP.

>         <rp:ProfileConfiguration
> xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional"
>                                  signAssertions="never"/>
> 
>         <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> includeAttributeStatement="true"
>                                  assertionLifetime="PT5M"
> assertionProxyCount="0"
>                                  signResponses="never"
> signAssertions="never"
>                                  encryptAssertions="never"
> encryptNameIds="never"/>

Have a look at
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSAML2SSOProfileConfig
as it may allow you to reduce that to only 2-3 lines of configuration.
-peter


More information about the users mailing list