AW: disable assertion encryption by entityID
Bergmann, Clemens
clemens.bergmann at tu-darmstadt.de
Fri Sep 10 05:59:54 UTC 2021
Hi Brent,
thanks for this hint. That works flawlessly.
Viele Grüße
Clemens (Bergmann)
--
Clemens Bergmann
Gruppe Nutzermanagement und Entwicklung
Technische Universität Darmstadt
Hochschulrechenzentrum, Alexanderstraße 2, 64289 Darmstadt
Tel. +49 6151 16 71184
http://www.hrz.tu-darmstadt.de/
> -----Ursprüngliche Nachricht-----
> Von: users <users-bounces at shibboleth.net> Im Auftrag von Brent Putman
> Gesendet: Freitag, 10. September 2021 01:55
> An: Shib Users <users at shibboleth.net>
> Betreff: Re: disable assertion encryption by entityID
>
>
>
>
> On 9/8/21 5:21 AM, Bergmann, Clemens wrote:
>
>
> Hi,
>
>
>
> I want to disable encryption of assertions for one of our test SPs.
>
> I tried to implement it with a predicate passed as
> p:encryptAssertions-ref.
>
> Part of my configuration is below.
>
>
>
> Unfortunately I get an error stating “nested exception is
> java.lang.IllegalArgumentException: Cannot convert value of type
> 'net.shibboleth.utilities.java.support.logic.PredicateSupport$$Lambda$678/0
> x0000000840ee1840' to required type 'boolean' for property
> 'encryptAssertions'”
>
>
>
>
> Short answer: Instead of encryptAssertions-ref as the property name, use
> encryptAssertionsPredicate-ref instead.
>
> Use of a Predicate instance is an edge case that we don't document explicitly
> in the wiki, but do implicitly. On the doc page for that profile config:
>
> https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631694/SAML
> 2SSOConfiguration
>
>
> we do say:
>
> "The most typical options used are described in more detail below, but not
> every obscure option is discussed. See the javadoc
> <http://shibboleth.net/cgi-bin/java-
> idp.cgi/net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfi
> guration> for all of the possible configuration options for this profile (note
> that many of them are inherited from parent classes)."
>
> If one follows the Javadoc link and looks up the parent class hierarchy, you
> will see that the actual property setters live here:
>
> http://shibboleth.net/sites/release/java-identity-
> provider/4.1.4/apidocs/net/shibboleth/idp/saml/saml2/profile/config/Abstr
> actSAML2ProfileConfiguration.html
>
> and that shows the setters for both the boolean and Predicate cases.
>
> Under the covers, most of the actual boolean setters are really just
> convenience methods for delegating to the Predicate setters with "always
> true/false" Predicates, and so the Predicates are what are actually stored and
> used at runtime.
>
>
> Thanks,
> Brent
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6377 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20210910/efb024fe/attachment.p7s>
More information about the users
mailing list