Qualtrics integration changes

Cantor, Scott cantor.2 at osu.edu
Fri Mar 16 08:23:59 EDT 2018

> I suggested that Qualtrics should add WantAssertionsSigned="true" to their
> metadata, but the InCommon metadata management form does not appear to
> allow that.

It's something that usually demonstrates a non-compliant SAML SP, so I at least advised them that it was possibly going to incent bad behavior to start allowing it. That doesn't inherently mean it's a bad idea but it was something to consider.

> In case I am forced to add an override for Qualtrics to our relying-party.xml,
> has anyone else done this already? I obviously need to sign assertions, but do I
> need to explicitly not sign responses?

Once an SP is broken, there is no way to a priori know how broken it actually is. This presumes Qualtrics has no *actual* reason to be requiring them to be signed that is independent of the profile, such as an auditor saying something that they somehow translated into "they have to be signed".

-- Scott

More information about the users mailing list