How to override DefaultRelayingParty values for an SP in relaying-party.xml
Nate Klingenstein
ndk at internet2.edu
Wed Nov 19 15:14:06 EST 2014
Moe,
> <rp:RelyingParty id="RPID"
> provider="<SP ENTITY ID>"
> defaultSigningCredentialRef="IdPCredential">
> <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> encryptAssertions="never" encryptNameIds="never" />
> </rp:RelyingParty>
You’ll want the provider element to be your IdP’s entityID. It’s a long story.
> I am trying to understand the mechanism - how will the SP know not to use
> the values in DefaultRelayingParty, rather to use this override? Because
> when I go through the log after adding this block, I see my IDP is still
> trying to encrypt the assertions for the SP.
It’ll do a match based on the entityID in the inbound (typically, SAML 2.0 AuthnRequest) request. It’ll take the closest match on all parameters, so when requests come from that entityID, it will use that configuration and inherit anything that isn’t specifically specified.
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPRelyingParty
Note that AuthnRequests are typically not signed or trusted so you can’t always guarantee that the right logic will run.
Hope this helps,
Nate.
More information about the users
mailing list