Specifying <IdpList> in Shibboleth SP

Cantor, Scott cantor.2 at osu.edu
Mon Nov 24 16:18:26 EST 2014

On 11/24/14, 6:10 PM, "Sandy" <sundeep.nitw at gmail.com> wrote:

>The SAML specification says that an <IdpList> element can list all the 
>Idp's that the requester would need assertions from.

That's not what it means. It specifies the IdPs you are willing to accept 
proxied assertions from. That's a very different thing.

> Where, in Shibboleth SP configuration this can be specified(if at all it 
>can be)? I would be grateful if I can be pointed to the wiki page that 
>contains relevant information.

It can't be specified directly. You either have to issue your own 
AuthnRequests, or use the templating mechanism inside the 
<SessionInitiator> element to provide a partial AuthnRequest message with 
the IDPList content filled in. I don't recall offhand if it's possible to 
specify a template message inside the <SSO> element that replaced the 
SessionInitiator syntax, but the mechanism for doing it is documented 
under the SAML2 SessionInitiator.

>2. SAML Proxy Idp
>Is there some specific configuration that Idp needs to act as a proxy 
>Idp? Or is it from the Request that the Idp figures out that it needs to 
>act as a proxy Idp(from <ProxyCount> and <IdpList> elements).

There is nothing in SAML that explicitly tells an IdP to proxy a request.

-- Scott

More information about the users mailing list