Specifying <IdpList> in Shibboleth SP
Cantor, Scott
cantor.2 at osu.edu
Mon Nov 24 16:18:26 EST 2014
On 11/24/14, 6:10 PM, "Sandy" <sundeep.nitw at gmail.com> wrote:
>
>The SAML specification says that an <IdpList> element can list all the
>Idp's that the requester would need assertions from.
That's not what it means. It specifies the IdPs you are willing to accept
proxied assertions from. That's a very different thing.
> Where, in Shibboleth SP configuration this can be specified(if at all it
>can be)? I would be grateful if I can be pointed to the wiki page that
>contains relevant information.
It can't be specified directly. You either have to issue your own
AuthnRequests, or use the templating mechanism inside the
<SessionInitiator> element to provide a partial AuthnRequest message with
the IDPList content filled in. I don't recall offhand if it's possible to
specify a template message inside the <SSO> element that replaced the
SessionInitiator syntax, but the mechanism for doing it is documented
under the SAML2 SessionInitiator.
>2. SAML Proxy Idp
>
>Is there some specific configuration that Idp needs to act as a proxy
>Idp? Or is it from the Request that the Idp figures out that it needs to
>act as a proxy Idp(from <ProxyCount> and <IdpList> elements).
There is nothing in SAML that explicitly tells an IdP to proxy a request.
-- Scott
More information about the users
mailing list