SOAP SLO handler: what would it be used for?

Andrew Morgan morgan at orst.edu
Wed Apr 16 18:33:06 EDT 2014


On Wed, 16 Apr 2014, Cantor, Scott wrote:

> On 4/16/14, 5:50 PM, "Tom Scavo" <trscavo at gmail.com> wrote:
>
>> On Wed, Apr 16, 2014 at 5:41 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>>> Does that about cover it?
>>>
>>> Mostly, but you really need to remove the profile configurations.
>>
>> Scott, did you mean "don't need to"?
>
> No, I mean the intent was that you control the profiles in
> relying-party.xml, not by editing the other file.
>
> Profile configurations are in rp.xml, profile handlers are defined in
> handler.xml. The latter don't do anything if the former doesn't enable
> them.
>
> If you want to hit both that's fine, but the one that triggers an
> understandable (relatively) error is the relying party config.

Okay, that is probably simpler or at least more obvious.  I would remove 
the following from the DefaultRelyingParty in relying-party.xml:

         <rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false"
                                  assertionLifetime="PT5M" signResponses="conditional" signAssertions="never"/>

         <rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" assertionLifetime="PT5M"
                                  signResponses="conditional" signAssertions="never"/>

         <rp:ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional"
                                  signAssertions="never"/>

         <rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile" includeAttributeStatement="true"
                                  assertionLifetime="PT5M" assertionProxyCount="0"
                                  signResponses="never" signAssertions="always"
                                  encryptAssertions="conditional" encryptNameIds="never"/>

         <rp:ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
                                  assertionLifetime="PT5M" assertionProxyCount="0"
                                  signResponses="conditional" signAssertions="never"
                                  encryptAssertions="conditional" encryptNameIds="never"/>

         <rp:ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
                                  signResponses="never" signAssertions="always"
                                  encryptAssertions="conditional" encryptNameIds="never"/>


which leaves just:

         <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true"
                                  assertionLifetime="PT5M" assertionProxyCount="0"
                                  signResponses="never" signAssertions="always"
                                  encryptAssertions="conditional" encryptNameIds="never"/>


Or should I just remove the DefaultRelyingParty entirely so that only 
enumerated RPs have access?  How do I handle InCommon SPs then?

If this is documented somewhere, please just tell me to read the wiki.  :)

 	Andy


More information about the users mailing list