What does "conditional" mean in SAML2SSOProfile?
shibboleth655 at lewenberg.com
shibboleth655 at lewenberg.com
Mon Jan 23 16:55:45 EST 2017
We are running Shibboleth IdP 3.2.1 but the relying party file is
version 2. We are working on changing this so that the relying party
uses version 3 configurations. This has raised a question about the
"conditional" attribute for the various security parameters in relying
party.
The settings we are concerned with are
signResponses
signAssertions
encryptAssertions
for SAML2SSOProfile. Our default settings are
signResponses = conditional
signAssertions = never
encryptAssertions = conditional
I have been looking at
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPXMLSigEnc and
the relevant text seems to be this:
"The IdP is capable of determining if the message integrity protection,
provided by XML signatures, and the message confidentiality protections,
provided by XML encryption, are provided by the communication channel
and message encoding style used to respond to messages. As XML signing
and encryption are significantly more time and resource intensive, when
compared to transport/encoding level mechanisms, the IdP allows
deployers to indicate whether these XML operations are always required,
required only if the transport/encoding level doesn't provide them, or
never required. These options are represented, respectively, by the
values always, conditional, and never used in the attributes that
control whether some portion of XML data is signed or encrypted."
What does "conditional" mean for each of the three settings
(signResponses, signAssertions, encryptAssertions) in the context of
SAML2SSOProfile?
Adam Lewenberg
Stanford University
More information about the users
mailing list