Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute

Nate Klingenstein ndk at
Mon Jun 29 23:01:25 UTC 2020

Right, sorry, I was looking at the recipient attribute of the EncryptedAssertion element rather than the decrypted assertion.  Is there a reason why that's the entityID rather than the ACS?


<xenc:EncryptedKey Id="_bc87633cd07b3a990ce52517e20661fe" Recipient="" ...

Thanks for the catch,

Signet, Inc.
The Art of Access ®
-----Original message-----
> From: Cantor, Scott
> Sent: Monday, June 29 2020, 4:45 pm
> To: Shib Users
> Subject: Re: Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute
> On 6/29/20, 6:38 PM, "users on behalf of Nate Klingenstein" <users-bounces at on behalf of ndk at> wrote:
> > Assuming you mean in a Response and Assertion, the destination and recipient attributes are intended to allow the SP
> > to interpret how to process the response and to ensure it was made for it and not another SP.  The recipient should be
> > the entityID and the destination should be the ACS URL.
> They are both set to the ACS URL in the profile.
> The only odd thing about the Shibboleth software is that it doesn't look at Destination unless the message is signed, since there's no point in doing so. It requires Destination when messages are signed because that's what the standard says.
> -- Scott
> -- 
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list