SOAP SLO handler: what would it be used for?
Andrew Morgan
morgan at orst.edu
Wed Apr 16 18:33:06 EDT 2014
On Wed, 16 Apr 2014, Cantor, Scott wrote:
> On 4/16/14, 5:50 PM, "Tom Scavo" <trscavo at gmail.com> wrote:
>
>> On Wed, Apr 16, 2014 at 5:41 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>>>> Does that about cover it?
>>>
>>> Mostly, but you really need to remove the profile configurations.
>>
>> Scott, did you mean "don't need to"?
>
> No, I mean the intent was that you control the profiles in
> relying-party.xml, not by editing the other file.
>
> Profile configurations are in rp.xml, profile handlers are defined in
> handler.xml. The latter don't do anything if the former doesn't enable
> them.
>
> If you want to hit both that's fine, but the one that triggers an
> understandable (relatively) error is the relying party config.
Okay, that is probably simpler or at least more obvious. I would remove
the following from the DefaultRelyingParty in relying-party.xml:
<rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false"
assertionLifetime="PT5M" signResponses="conditional" signAssertions="never"/>
<rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" assertionLifetime="PT5M"
signResponses="conditional" signAssertions="never"/>
<rp:ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional"
signAssertions="never"/>
<rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile" includeAttributeStatement="true"
assertionLifetime="PT5M" assertionProxyCount="0"
signResponses="never" signAssertions="always"
encryptAssertions="conditional" encryptNameIds="never"/>
<rp:ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"
assertionLifetime="PT5M" assertionProxyCount="0"
signResponses="conditional" signAssertions="never"
encryptAssertions="conditional" encryptNameIds="never"/>
<rp:ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile"
signResponses="never" signAssertions="always"
encryptAssertions="conditional" encryptNameIds="never"/>
which leaves just:
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true"
assertionLifetime="PT5M" assertionProxyCount="0"
signResponses="never" signAssertions="always"
encryptAssertions="conditional" encryptNameIds="never"/>
Or should I just remove the DefaultRelyingParty entirely so that only
enumerated RPs have access? How do I handle InCommon SPs then?
If this is documented somewhere, please just tell me to read the wiki. :)
Andy
More information about the users
mailing list