Does mod_shib ever do AttributeQueries?

Tom Scavo trscavo at
Tue Apr 15 12:51:11 EDT 2014

On Tue, Apr 15, 2014 at 12:36 PM, Wessel, Keith <kwessel at> wrote:
> I can't explain why they're doing attribute queries at all, nor can the admins of the servers. Does mod_shib ever generate an attribute query to the IDP under the hood? If so, under what circumstances? Just trying to figure out if we'll break anything by turning this off.

There are two separate questions here. Since SAML1 doesn't support XML
encryption, a typical SAML1 flow includes a back-channel attribute
query. OTOH, attributes are almost always pushed by a SAML2 IdP
(depends on the configuration, I suppose) so SAML2 attribute query is
seldom necessary. Now, if a SAML2 IdP doesn't push the attributes the
SP wants, the SP is likely to turn around and issue a (redundant)
attribute query. So, if your IdP *always* pushes attributes, a SAML2
AttributeService endpoint is unnecessary and should be removed from

Bottom line: If you can get away with not supporting SAML1, you can
probably avoid all back-channel exchanges.

PS. There are scores of SAML2 AttributeService endpoints in InCommon
metadata (


More information about the users mailing list