Qualtrics integration changes

Lee Foltz foltz2 at oakland.edu
Fri Mar 16 08:27:14 EDT 2018 

Hello,
Here at Oakland University Qualtrics provided us with a metadata file to
load rather than using the InCommon one.  Example  entityID="
https://oakland.az1.qualtrics.com/".  It uses signing and encryption in the
metadata file.
We made no changes to attribute-filter.xml or replyingparty.xml

Everything is working fine here.

On Fri, Mar 16, 2018 at 7:56 AM, Losen, Stephen C. (scl) <scl at virginia.edu>
wrote:

> Hi folks,
>
> Qualtrics is an InCommon member and publishes their SP metadata.  We
> (Univ. of Virginia) are also an InCommon member with published IDP
> metadata, and we load the InCommon metadata aggregate into our IDP.
>
> We integrated our IDP with Qualtrics a year or so ago with no issues, only
> needed to add a filter to attribute-filter.xml  I think their SP uses
> simplesamlphp.  The entityID is https://virginia.az1.qualtrics.com/...
>
> Recently Qualtrics asked us to integrate with a new SP whose entityID is
> https://az1.qualtrics.com .  So I modified our attribute-filter.xml to
> match the new entityID.  However, login to the new SP failed on the SP side
> after successful login to our IDP.  Qualtrics says that the assertion needs
> to be signed.
>
> Looking at the IDP wiki, I believe the default behavior for the SAML2
> browser profile is to sign the response and not sign the assertion.  We
> have not changed this in our relying-party.xml.
>
> I suggested that Qualtrics should add WantAssertionsSigned="true" to their
> metadata, but the InCommon metadata management form does not appear to
> allow that.
>
> Now it looks like I need to put an override in relying-party.xml which I
> would prefer not to do.  So I am dragging my feet a bit on this, Qualtrics
> is working just fine with the old SP. I suggested that they modify their
> new SP to require signed responses, not assertions.
>
> Looking at the InCommon metadata file, it appears that Qualtrics has
> integrated with a large number of higher eds.  So this change will impact a
> large number of their customers if they insist on signed assertions.
>
> In case I am forced to add an override for Qualtrics to our
> relying-party.xml, has anyone else done this already? I obviously need to
> sign assertions, but do I need to explicitly not sign responses?
>
> Thanks,
>
> Stephen C. Losen
> ITS - Systems and Storage
> University of Virginia
> scl at virginia.edu    434-924-0640
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
Lee Foltz
Oakland University - UTS
Senior Identity Systems Engineer

248-370-2675
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180316/2d9eb1ae/attachment.html>

More information about the users mailing list