Subject c14n on initial AuthnRequest

[Herron, Joel D]

Thanks Scott,

I think we have the same vendor JumpForward. I assumed they were miss-appropriating that feature. They told me they would be putting the ability to drop it into a future sprint, for what that's worth.

If I wanted(forced) to support it were should I be looking  to do so.

--Joel

On 11/17/20, 12:05 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

    *EXTERNAL EMAIL*

    On 11/17/20, 12:56 PM, "users on behalf of Herron, Joel D" <users-bounces at shibboleth.net on behalf of herronj at uww.edu> wrote:

    >    I have a vendor SP that is sending me a SAML Subject assertion on the initial AuthnRequest. I’ve never seen this before
    > from a SP and we don’t have a flow setup to support this. Is this a common thing for an SP to do and should I enable 
    > support for this? Currently, I’ve requested the vendor to support turning this feature off in their SP.

    s/assertion/element

    First one I ever ran into was a few weeks ago. I begged them to stop, but it didn't help and I had little choice, it was a fairly high profile case and they weren't exactly doing anything "wrong", so I couldn't say much.

    It's not perfect because without custom code there are a lot of edge cases that still won't work. I have a bug open to add some case folding  support to the OOB flow so it's more palatable to live with it, and we're limping along and the vendor made some adjustments to lowercase the email addresses they were feeding me to limit the problems for now.

    What they're doing is not what they think they're doing. The element in SAML is NOT a hint, and it's not meant for use during SSO, it was put there for other use cases.

    -- Scott


    -- 
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net