Reward Gateway - IdP initiated SSO - UnsolicitedSSO

Lipscomb, Gary glipscomb at csu.edu.au
Mon Feb 19 20:39:05 EST 2018 

I've got it working now with adding a relying-party override which includes

                <list>
                    <bean parent="SAML2.SSO"  p:encryptAssertions="false"
                                              p:signAssertions="true" />
                </list>

 Now the fight to not use IdP initiated and use SP initiated.


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Tom Scavo
Sent: Tuesday, 20 February 2018 11:21 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Reward Gateway - IdP initiated SSO - UnsolicitedSSO

On Mon, Feb 19, 2018 at 6:44 PM, Lipscomb, Gary <glipscomb at csu.edu.au> wrote:
>
> Not at the moment. I'm trying to make as little change as possible.

If the SP supports encryption (which many don't), they would include
an encryption certificate in their metadata. Since they haven't, I
conclude they don't support encryption.

> I thought
>         AuthnRequestsSigned="false" WantAssertionsSigned="true"
> In the SP metadata would have handled this.

You're confusing signing and encryption. Both of the above attributes
say something about signing. OTOH, support for inbound encryption at
the SP is determined by the presence (or absence) of an encryption
certificate in SP metadata. The IdP uses that certificate to encrypt
the assertion.

Tom

> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Tom Scavo
> Sent: Tuesday, 20 February 2018 10:35 AM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Reward Gateway - IdP initiated SSO - UnsolicitedSSO
>
> Hi Gary,
>
> On Mon, Feb 19, 2018 at 6:11 PM, Lipscomb, Gary <glipscomb at csu.edu.au> wrote:
>>
>> Has anyone got unsolicited SSO working with Reward Gateway (RG). Their metadata contains no X.509 certificate [1]
>
> That implies no encryption. Have you disabled XML encryption for this
> relying party?
>
> Tom
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list