encryptNameIDs default for SAML2.SSO
cantor.2 at osu.edu
Wed Oct 20 22:59:08 UTC 2021
On 10/20/21, 5:34 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> I'm assuming it's true but I don't see it mentioned in the profiles in the documentation.
A search will turn it up, I found it immediately.
> It's one of the common settings we have for relying party exceptions
That is unheard of, not common. You're confusing Assertion encryption with NameID encryption.
> Also, isn't the logic of:
> encryptionOptional="false" - Whether to automatically disable encryption if the relying party does not
> possess a suitable key
> reversed? The default setting allows for SPs with or without keys, so encryption is optional by default but the
> value is false.
The default is false, which makes encryption required and the lack of a key fatal, as it was in V2. Setting it to true makes it optional and conditional on the presence of a key, allowing it to be hands off for the most part if you trust your metadata sources, which you have to do anyway.
More information about the users