Shibboleth SP 2.5.4 and empty SubjectLocality element in SAML Assertion

Cantor, Scott cantor.2 at osu.edu
Fri May 8 09:30:50 EDT 2015


On 5/8/15, 9:11 AM, "Leppälä, Arttu" <arttu.leppala at cgi.com> wrote:

>If I read the specification  correctly, the SubjectLocality element having no value is valid SAML and the SP should accept the assertion (checkAddress-setting is false (default) in the Shibboleth2.xml config).

That's debateable, but I made a similar change to accomodate empty Conditions elements for a similar reason. But while I could change it, that won't do you any good for a while, I have no plans to produce a patch release any time soon, barring a security issue.

In general, that's just not really good SAML behavior on the part of the IdP, and while I would consider this a reasonable thing to do, I don't consider it a bug. It's not valid SAML, it's just not exactly invalid.

>Is this a known issue, is there a workaround for telling the SP to not check the element? This functionality seems to have changed between versions 2.5.3 and 2.5.4.

There was a bug that was preventing the rules from being enforced when encryption was in use, so that's the change you're seeing.

-- Scott



More information about the users mailing list