how to force idp v3 to sign saml assertion

Jehan Procaccia Jehan.Procaccia at it-sudparis.eu
Sat May 6 04:07:56 EDT 2017 

Le 05/05/2017 13:41, Peter Schober a écrit :
> * Jehan Procaccia <Jehan.Procaccia at it-sudparis.eu> [2017-05-05 10:32]:
>>> https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration#SecurityConfiguration-SigningandEncryptionEnablement
>>>
>> I had already set in conf/idp.properties :
>>
>> /idp.encryption.optional = false/
>>
>> did I miss understood that boolean , I must be set to "true" to force saml
>> assertion to be signed ?
> You seem to have failed to read what is written exactly at the URL
> Brent sent (and still is quoted above). In the example (e.g. the first
> one called "Per-Profile Signing or Encryption Options") there are
> custom relying party settings for your relying-party.xml, where you
> can enable p:signAssertions="true".
>
> Nowhere is there a mention of changing idp.properties for that.
>
> And no, the property "idp.encryption.optional" has nothing to with
> whether the IDP signs the SAML Response or the SAML Assertion.
> It is about not encrypting (hence the name) data to an SP that does
> not have a key suitable for encryption. (I.e., it's when you prefer to
> end data not XML-encrypted to the SP rather than having the IDP fail
> the transaction.)
>
> -peter
Ok , that work fine  now , I didn't noticed the "expanse Source" on the 
above mention URL regarding

SecurityConfiguration-SigningandEncryptionEnablement


|<!-- excerpt of relying-party.xml -->|
|<||bean| |parent||=||"RelyingPartyByName"| 
|c:relyingPartyIds||=||"https://sp.example.org" <https://sp.example.org>||>|
|||<||property| |name||=||"profileConfigurations"||>|
|||<||list||>|
|||<||bean| |parent||=||"SAML2.SSO"| |p:signAssertions||=||"true"| 
|p:encryptAssertions||=||"false"| |/>|
|||</||list||>|
|||</||property||>|
|</||bean||>
||

|I set |signAssertions||=||"true"| |p:encryptAssertions||=||"true" |, 
and now lightsmal SP accept the now signed assertions.

we have dozens of IDPs in our federation, it would be cumbersome to ask 
each IDP mainteners to set this bean for that SP ,
isn't there a global default setting to ask the IDP to sign assertions 
in any case ?
would it overload the saml echanges in a significant manner?

thanks .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170506/19fb4032/attachment.html>

More information about the users mailing list