Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute

Amit Dongaonkar amitd at nitssolutions.com
Tue Jun 30 14:24:22 UTC 2020 

Hi Scott and Nate,
Thanks for the prompt responses.
I agree that as per the standards the 'Destination' attribute should be
provided, but, I am dealing with a IdP that is not very open to changes.
I will however, follow this up with them.

Thanks again.

Thanks and Regards,

*Amit Dongaonkar*

*Snr. Technical Architect Lead*

o: (248) 284-4035 m: (248) 385-6033

40850 Grand River Ave #100, Novi, MI 48375

www.nitssolutions.com

[image: unnamed]


On Mon, Jun 29, 2020 at 7:01 PM Nate Klingenstein <ndk at signet.id> wrote:

> Right, sorry, I was looking at the recipient attribute of the
> EncryptedAssertion element rather than the decrypted assertion.  Is there a
> reason why that's the entityID rather than the ACS?
>
> e.g.
>
> <xenc:EncryptedKey Id="_bc87633cd07b3a990ce52517e20661fe" Recipient="
> https://samltest.id/saml/sp" ...
>
> Thanks for the catch,
> Nate.
>
> --------
> Signet, Inc.
> The Art of Access ®
>
> https://www.signet.id
>
>
> -----Original message-----
> > From: Cantor, Scott
> > Sent: Monday, June 29 2020, 4:45 pm
> > To: Shib Users
> > Subject: Re: Help Needed: Shibboleth SP handling of 'Recipient' SAML
> Attribute
> >
> > On 6/29/20, 6:38 PM, "users on behalf of Nate Klingenstein" <
> users-bounces at shibboleth.net on behalf of ndk at signet.id> wrote:
> >
> > > Assuming you mean in a Response and Assertion, the destination and
> recipient attributes are intended to allow the SP
> > > to interpret how to process the response and to ensure it was made for
> it and not another SP.  The recipient should be
> > > the entityID and the destination should be the ACS URL.
> >
> > They are both set to the ACS URL in the profile.
> >
> > The only odd thing about the Shibboleth software is that it doesn't look
> at Destination unless the message is signed, since there's no point in
> doing so. It requires Destination when messages are signed because that's
> what the standard says.
> >
> > -- Scott
> >
> >
> > --
> > For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200630/1142f326/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10944 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20200630/1142f326/attachment.png>

More information about the users mailing list