Date: Thu, 28 Mar 2024 14:05:22 +0000 (UTC) Message-ID: <871165773.9.1711634722295@b7d8c45808f1> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_8_905289185.1711634722293" ------=_Part_8_905289185.1711634722293 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
File(s): conf/relying-party.xml
Format: Native Spring
The SAML1.AttributeQuery profile configuration bean ena= bles support for the SAML 1.1 Attribute Quer= y profile over SOAP. It was historically used to support Shibboleth SP = software that understood how to supplement SAML 1.1 SSO with queries in ord= er to improve attribute confidentiality. It is rarely needed any longer.
By default, the IdP will only respond to queries containing NameIdentifiers that it understands how to reverse-map into user identities, and it will not= do so out of the box for anything but transient identifiers issued by it. = Nevertheless, it should be disabled if not in use.
The most typical options used are described in more detail below, but no= t every obscure option is discussed. See the java= doc for all of the possible configuration options for this profile (not= e that many of them are inherited from parent classes).
Virtually all the configuration options below can be set via two differe= nt properties: a static property that explicitly sets the value to use and = a lookup strategy or predicate property that takes a Function or Predicate and returns the value to use. The= dynamic property is generally named "propertyNamePredicate" or "propertyNa= meLookupStrategy" for Boolean- and non-Boolean-valued properties respective= ly.
The default value of signResponses
for this profile is=
an extended form of the behavior that was referred to in V2 as "conditiona=
l". It signs only if TLS isn't used (very unusual) or if the receiving port=
is 443. It assumes that traffic over 443 will be relying on message-based =
security measures, whereas traffic to an alternative TLS port like 8443 wil=
l be relying on mutual authentication and thus provide a secure channel.
Since SAML 1.1 does not support XML Encryption, all data is in plaintext= , and therefore use of message-based security is not advisable.