IdP assertions encryption issue
Guillaume Rousse
guillaume.rousse at renater.fr
Thu Feb 1 08:13:17 EST 2018
Le 31/01/2018 à 17:50, Peter Schober a écrit :
>> However, I don't understand why, given its current configuration,
>> our IdP does encrypt its assertions. That's an old version (2.4.4),
>> but all the profile defined in relying-party.xml have
>> encryptAssertions attribute set to "never" or "conditional".
>
> That's a very old question, see the archives. "conditional" basically
> means "If it's not end-to-end secured -- as in: goes over the web
> browser -- I'll encrypt it".
As direct IdP/SP communication only occurs in some specific SAML
profiles (at least Artifact Resolution and Attribute Query), does it
imply than "conditional" setting for all other profiles involving user
browser (SSO, notably) is actually a synonym for "always" ?
>> It's a bit difficult to understand what this setting does exactly,
>> given than IdP 2.x documentation seems to have been removed from
>> Shibboleth consortium wiki
>
> Nothing has been removed, you're mistaken. In case you were looking
> for a wiki space called "IDP2"someting: that never existed, the old
> documentation is still available in the "SHIB2" wiki space.
Indeed, sorry for the confusion.
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180201/04b587df/attachment.p7s>
More information about the users
mailing list