SAML1 for particular Relying Party within a federation
Keith Carr
kecarr at sgul.ac.uk
Mon May 11 07:49:13 EDT 2015
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Ian Young
Sent: 11 May 2015 12:17
To: Shib Users
Subject: Re: SAML1 for particular Relying Party within a federation
On 11 May 2015, at 11:58, Keith Carr <kecarr at sgul.ac.uk<mailto:kecarr at sgul.ac.uk>> wrote:
I’m basically looking to force one SP that provides it’s metadata via the UKfederation to use SAML1 for its response and assertion.
Unless you're going to be sending unsolicited responses, it is the SP's choice that will determine which protocol is used for the transaction. If the SP sends you a SAML 2 authentication request, you will be replying using SAML 2 or not at all. An SP will of course not do that if it can see that you only support SAML 1.
Can you give us some idea as to why you want to not use SAML 2 if it's available to both parties?
With the recent vulnerabilities exposed within the TLS/SSL protocols (POODLE) we tightened up server configs, including setting Tomcat to work with TLS 1.0 as a minimum requirement. However we have found doing so “breaks” SAML1.x assertion exchange with one of the SP’s (Ovid). It seems like they are some time away from addressing the security vulnerability themselves and moving to SAML2.x.
To be honest, with what you’ve said now I think I’ve realised there’s no way around it until they have applied updates.
Thanks for your help,
- Keith
-- Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150511/3511411c/attachment-0001.html>
More information about the users
mailing list