IdP assertions encryption issue

Guillaume Rousse guillaume.rousse at
Thu Feb 1 08:13:17 EST 2018

Le 31/01/2018 à 17:50, Peter Schober a écrit :
>> However, I don't understand why, given its current configuration,
>> our IdP does encrypt its assertions. That's an old version (2.4.4),
>> but all the profile defined in relying-party.xml have
>> encryptAssertions attribute set to "never" or "conditional".
> That's a very old question, see the archives. "conditional" basically
> means "If it's not end-to-end secured -- as in: goes over the web
> browser -- I'll encrypt it".
As direct IdP/SP communication only occurs in some specific SAML 
profiles (at least Artifact Resolution and Attribute Query), does it 
imply than "conditional" setting for all other profiles involving user 
browser (SSO, notably) is actually a synonym for "always" ?

>> It's a bit difficult to understand what this setting does exactly,
>> given than IdP 2.x documentation seems to have been removed from
>> Shibboleth consortium wiki
> Nothing has been removed, you're mistaken. In case you were looking
> for a wiki space called "IDP2"someting: that never existed, the old
> documentation is still available in the "SHIB2" wiki space.
Indeed, sorry for the confusion.

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list