SAML2 idp response
Peter Schober
peter.schober at univie.ac.at
Wed Dec 10 13:36:19 EST 2014
* samir el otmani <elotmani.samir at gmail.com> [2014-12-10 18:10]:
> other question : is it normal if an IDP sends a non encrypted SAML2
> response; in another words is there any configuration in idp which
> indicate that the SAML2 attributes will not be encrypted .
By default with SAML2 the Shibboleth IDP 2.x will encrypt the
assertion (not the response, not attributes, not NameIDs) or fail
trying (e.g. if the SP doesn't have a suitable key).
You'll have to create a specific RelyingParty configuration in order
to allow the IDP to work with an SP without a suitable key at all.
And SAML1 doesn't have XML encryption, so by default the IDP does not
send an attribute statement with the initial HTTP POST. Instead the SP
would have to perform an Attribute Query to get the attribute
statement.
So a Shibboleth IDP it will /not/ send unencrypted data over the
browser in its default configuration.
This page has the details:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPXMLSigEnc
-peter
More information about the users
mailing list