So, there has been a proposal to change the default setting to NOT
encrypt NameIDs (but to continue to encrypt the Assertion). Is anyone
currently relying on this default behavior such that changing it would
cause some sort of major issue for you?
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
I couldn't find anything on:
https://spaces.internet2.edu/display/SHIB2/SAML2StringNameIDEncoder
where I would have suspected to find something :)
The reason why I ask is that SimpleSAML currently cannot handle
encrypted nameids. Therefore, it would be great if we could turn off
encryption even before the next release :)
One more question regarding this: I assume that changing this (default)
setting doesn't require metadata or something else to be changed on the
SP side, right?
Cheers
Lukas
--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
lukas.h...@switch.ch, http://www.switch.ch
checking the archives:
* Peter Schober <peter....@univie.ac.at> [2008-07-25 18:25]:
> * sanket....@gmail.com <sanket....@gmail.com> [2008-07-25 17:45]:
> > We have a Service Provider that accepts unencrypted accertions only.
> > My IDP is sending the response with <saml:EncryptedAssertion>.
> > Please let me know what should I change to make this saml response
> > go with <saml:Assertion>
>
> Add a RelyingParty element to conf/relying-party.xml with a profile
> configuration where encryptAssertions="never" (and possibly
> encryptNameIds="never", since I'd expect them to not like those
> either).
>
> https://spaces.internet2.edu/display/SHIB2/IdPXMLSigEnc
or
* Peter Schober <peter....@univie.ac.at> [2008-09-27 00:22]:
> * Russell Beall <be...@usc.edu> [2008-09-26 20:39]:
> > It will be nice to separate off this unusual SP.
>
> Just add another RelyingParty element with an empty
> ProfileConfiguration element, overriding the defaults as needed, e.g.
>
> <RelyingParty id="https://some-sp.example.edu/shibboleth"
> provider="https://your-idp.example.edu/shibboleth"
> defaultSigningCredentialRef="IdPCredential" >
> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
> encryptAssertions="never"
> encryptNameIds="never" />
> </RelyingParty>
>
> See https://spaces.internet2.edu/display/SHIB2/IdPXMLSigEnc or the
> default conf/relying-party.xml for more.
cheers,
-peter
--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
this always was possible, and hab been discussed on both the
simplesamlphp list and here a few times.
> One more question regarding this: I assume that changing this (default)
> setting doesn't require metadata or something else to be changed on the
> SP side, right?
adjusting your saml:SAML2SSOProfile profile configuration is enough.
Can this be turned off also for the currently deployed 2.x IdPs? If so,
what configuration option has to be toggled :)
I added another RelyingParty and it indeed seems to work now also with
SimpleSAML. Thanks (also to Peter) :)