encryptNameIDs default for SAML2.SSO

Cantor, Scott cantor.2 at osu.edu
Wed Oct 20 22:59:08 UTC 2021

On 10/20/21, 5:34 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:

>    I'm assuming it's true but I don't see it mentioned in the profiles in the documentation.

A search will turn it up, I found it immediately.

> It's one of the common settings we have for relying party exceptions

That is unheard of, not common. You're confusing Assertion encryption with NameID encryption.

> Also, isn't the logic of:
>    encryptionOptional="false" - Whether to automatically disable encryption if the relying party does not
> possess a suitable key
>   reversed? The default setting allows for SPs with or without keys, so encryption is optional by default but the
> value is false.

The default is false, which makes encryption required and the lack of a key fatal, as it was in V2. Setting it to true makes it optional and conditional on the presence of a key, allowing it to be hands off for the most part if you trust your metadata sources, which you have to do anyway.

-- Scott

More information about the users mailing list