metadata-support - Re: [Metadata-Support] support for WantAssertionsSigned in FM
Subject: InCommon metadata support
List archive
- From: Nick Roy <>
- To: "" <>
- Subject: Re: [Metadata-Support] support for WantAssertionsSigned in FM
- Date: Sat, 14 Apr 2018 03:30:39 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:MwSi4hVC68/pQgJBgCh9mlQeNqrV8LGtZVwlr6E/grcLSJyIuqrYZRSGuqdThVPEFb/W9+hDw7KP9fy4AipYud6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCybL9uIhi6txndutULioZ+N6g9zQfErGFVcOpM32NoIlyTnxf45siu+ZNo7jpdtfE8+cNeSKv2Z6s3Q6BWAzQgKGA1+dbktQLfQguV53sTSXsZnxxVCAXY9h76X5Pxsizntuph3SSRIMP7QawoVTmk8qxmTgLjhiUaOD4j6GzZitJ+gr9HoByvpBJ/zY/Ub52aOvVxZa7dYcoaSXZdUspNSyBNHIWxZJYPAeobOuZYqpHwqUMPrRSiBgmnGf/hyjhIh3Tr2qA61f4hEQbG3QE7HtIOtmjUo8vvNKcUT++10LfEwS/dYPxLxDfw8Y7FeQ0vr/GLWLJ/a8vRyU83GgPClFqQso3lPyiM2uQKq2iU8exgWfioi249pAF9uj+vxt0yhYnGgYIVzEvE9Tljz4YpO9K0UlB0bsO5EJZWqiqUNJN2T9s8T25ypCo217gLtYOmcCQXzZknyRHSZ+Cbf4WN7BLsSumcLDh9iX9ger+zmhiy/VCix+DyTMW4zVlHojBYntXRtn0BzQHf58qaRvdl8EeuxzWC2xzW5+xBIE04iLbUJpEkz7MwlZcTv1nPEyrol0nrl6CbckAp9vWq5unjfLrroIKXOZVuhQHkKKsun9SyAeQmPQgKWGiW4fyy2aHk80HlXrlGl+A4nLHEvJzDIsQUvbC2DxVS0oY+9xawFDCm0MkenXYaNl5FYAiHj4/1O17QPP/4Efa/g1OqkDtxwPDGI6HhApHKLnjEk7ftZ6py60lZyAYrzNBf4YxbCq0ZLf7tQED9qMHUAxokPwCp3urqDdt924wCVW6TB6KZPr3dvFCH6+8qJuSBZpIZuDjlJ/gg/fHujHs5mVEHfamu2JsacHa4Hu5hI0SZenfsg9EBEXsUsQokSuzllkGCXSBJa3msQq08+yk3CJi6AofbWoCtnLuB0T+6Hp1Qem9GDVWMEXLvd4WCQfsMbziSIsB4njwBS7ehV5Uu2gy0uw/m0bVrN/HU+jAAtZL709h1/fHTmAo29Tx1FMSdz3qNQ39ukmMJQT82wL5woVZ7ylidzah0neZUGsJO6PNUAU8GMsuWyuFmAtz7RguEZcqRUFG8Xv2nBzo2S9c2xZkJeUk3U4GngwzK0yO2CvoOiqSTA4Yo2qPa1H/0IsF7jXHc2/9yoUMhR55pNGalzpR45kCHAZTOgm2Ykbqnb6IRwHSL+Wuemznd9HpEWRJ9BP2WFUsUYVHb+Iz0
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
After consulting with the Ops Advisory Group about Qualtrics' request
(they asked us to support this), it became apparent that this would
violate the MUST about support for signed assertions or responses in the
SAML 2 Web Browser SSO profile (with errata)
https://www.oasis-open.org/committees/download.php/22389/sstc-saml-profiles-errata-2.0-wd-07-diff.pdf
It was strongly recommended that we not support this metadata element.
Nick
On 4/13/18 4:01 PM, Andrew Morgan wrote:
> I'm working with a vendor (Qualtrics) that wants me to sign assertions in
> SAML responses. The Shibboleth IDP default is to sign responses, not
> assertions. I can override this in relying-party.xml easily, but I'd
> prefer to avoid customizing my config. The Shibboleth wiki says:
>
> If you need to enable the signAssertions option, and you control the
> SP's metadata, you should generally add the WantAssertionsSigned flag to
> it in place of using this option.
>
> Is there any plan to support WantAssertionsSigned in the Federation
> Manager? Qualtrics is an InCommon member, and I get their metadata from
> the InCommon aggregate.
>
> Thanks,
> Andy Morgan
> Systems Administrator, Identity & Access Management
> Information Services | Oregon State University
> 541-737-8877 | is.oregonstate.edu
>
- [Metadata-Support] support for WantAssertionsSigned in FM, Andrew Morgan, 04/13/2018
- Re: [Metadata-Support] support for WantAssertionsSigned in FM, Nick Roy, 04/14/2018
- RE: [Metadata-Support] support for WantAssertionsSigned in FM, Cantor, Scott, 04/14/2018
- Re: [Metadata-Support] support for WantAssertionsSigned in FM, Nick Roy, 04/14/2018
Archive powered by MHonArc 2.6.19.