nameid-format:unspecified for relying party

Phil Pishioneri pgp at
Tue Jul 3 18:44:59 EDT 2018

On 7/2/18 7:13 PM, Cantor, Scott wrote:
> It claims to allow encryption but the metadata is spits out has no key, so I don't know if it starts spitting one out if you check the encrypt assertions box or what. I suppose it must.

We happen to be adding ArcGIS to our Shib IdP, too.

I tried enabling 'Encrypt Assertions' -- the metadata their config then
generates includes an encryption certificate (that's the only difference
I see with the box checked vs. not). However, their SP didn't like
getting the encrypted assertion (error: "Unable to login using Idp
Unable to validate SAML response"). And disabling encryption via
relying-party.xml (while the encryption box is still checked) works, so
they're not enforcing encryption when you ask for it.

I've had to disable encryption for now while awaiting an answer from the
vendor (to the question: why does their document show that you can
enable assertion encryption, then farther down tell you to explicitly
disable it?).


More information about the users mailing list