Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute

Nate Klingenstein ndk at signet.id
Mon Jun 29 23:01:25 UTC 2020


Right, sorry, I was looking at the recipient attribute of the EncryptedAssertion element rather than the decrypted assertion.  Is there a reason why that's the entityID rather than the ACS?

e.g.

<xenc:EncryptedKey Id="_bc87633cd07b3a990ce52517e20661fe" Recipient="https://samltest.id/saml/sp" ...

Thanks for the catch,
Nate.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id
 
 
-----Original message-----
> From: Cantor, Scott
> Sent: Monday, June 29 2020, 4:45 pm
> To: Shib Users
> Subject: Re: Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute
> 
> On 6/29/20, 6:38 PM, "users on behalf of Nate Klingenstein" <users-bounces at shibboleth.net on behalf of ndk at signet.id> wrote:
> 
> > Assuming you mean in a Response and Assertion, the destination and recipient attributes are intended to allow the SP
> > to interpret how to process the response and to ensure it was made for it and not another SP.  The recipient should be
> > the entityID and the destination should be the ACS URL.
> 
> They are both set to the ACS URL in the profile.
> 
> The only odd thing about the Shibboleth software is that it doesn't look at Destination unless the message is signed, since there's no point in doing so. It requires Destination when messages are signed because that's what the standard says.
> 
> -- Scott
> 
> 
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 


More information about the users mailing list