Subject missing from Response
Doan, Tommy
tdoan at smu.edu
Sat Mar 5 17:08:31 EST 2016
I found the IdP v3 documentation on how to disable assertion signing and encryption by relying party ID, and implemented that temporarily for this SP. This is very handy indeed, and seems to be far more straightforward than attempting to decrypt the Response after the fact.
https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration
https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration
<util:list id="shibboleth.RelyingPartyOverrides">
<!-- temporarily disable signing and encryption for Blackline sandbox -3/5/2016 -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="urn:federation:ssosbna.blacklineondemand.com">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:signAssertions="false" p:encryptAssertions="false" />
</list>
</property>
</bean>
</util:list>
With this I see now in SAML Tracer that the Subject and Name ID are in fact contained in the Response within the EncryptedAssertion element. Good stuff!
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Doan, Tommy
Sent: Saturday, March 5, 2016 10:47 AM
To: 'users at shibboleth.net' <users at shibboleth.net>
Subject: Subject missing from Response
I still have some big gaps in my understanding of SAML requests and responses. Can someone help me understand why I don't see a SAML Subject in the response below? I expected to see a Subject along with a Name ID in the response, but I suspect it's been signed and encrypted. The following are captures from SAML Tracer. Assuming it has been signed and/or encrypted, what are my options for seeing the values in tools like SAML Tracer or Fiddler? Or do implementers just disable signing and encryption temporarily to see these values?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160305/6c38d834/attachment.html>
More information about the users
mailing list