IdP assertions encryption issue

Peter Schober peter.schober at
Thu Feb 1 08:20:46 EST 2018

* Guillaume Rousse <guillaume.rousse at> [2018-02-01 14:14]:
> > That's a very old question, see the archives. "conditional" basically
> > means "If it's not end-to-end secured -- as in: goes over the web
> > browser -- I'll encrypt it".
> As direct IdP/SP communication only occurs in some specific SAML profiles
> (at least Artifact Resolution and Attribute Query), does it imply than
> "conditional" setting for all other profiles involving user browser (SSO,
> notably) is actually a synonym for "always" ?

It is.  You'll note from the documentation for current, supported
versions of the software that this has been changed and is only
supported for IDPs upgrading and making use of "legacy configuration":


More information about the users mailing list