Shibboleth SP 2.5.4 and empty SubjectLocality element in SAML Assertion
cantor.2 at osu.edu
Fri May 8 09:30:50 EDT 2015
On 5/8/15, 9:11 AM, "Leppälä, Arttu" <arttu.leppala at cgi.com> wrote:
>If I read the specification correctly, the SubjectLocality element having no value is valid SAML and the SP should accept the assertion (checkAddress-setting is false (default) in the Shibboleth2.xml config).
That's debateable, but I made a similar change to accomodate empty Conditions elements for a similar reason. But while I could change it, that won't do you any good for a while, I have no plans to produce a patch release any time soon, barring a security issue.
In general, that's just not really good SAML behavior on the part of the IdP, and while I would consider this a reasonable thing to do, I don't consider it a bug. It's not valid SAML, it's just not exactly invalid.
>Is this a known issue, is there a workaround for telling the SP to not check the element? This functionality seems to have changed between versions 2.5.3 and 2.5.4.
There was a bug that was preventing the rules from being enforced when encryption was in use, so that's the change you're seeing.
More information about the users