Versions Compared

Old Version 15

changes.mady.by.user Former user

Saved on

compared with

New Version 16

changes.mady.by.user Dave McDonnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Typo in example (encryptNameIDs vs encryptNameIds)

...

  • the attribute defaultSigningCredentialRef located on a RelyingParty element
  • the attribute signingCredentialRef located on a ProfileConfiguration element
    As you may have guessed, the defaultSigningCredentialRef attribute is used to specify a default signing credential for every profile configuration contained with the RelyingParty while the signingCredentialRef attribute is used to specify a signing credential only for the ProfileConfiguration upon which it appears and it always overrides a default signing credential if one is specified. The value for both attributes is the ID of a credential defined within the $IDP_HOME/conf/relying-party.xml file. Note: the referenced credentials MUST contain a private as this is what is actually used to sign the XML.
Code Block
xml
xml

<RelyingParty id="urn:example.org" provider="http://idp.example.org" defaultSigningCredentialRef="ExampleOrgCred">
    <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
    <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" signingCredentialRef="SAML1AACred"/>
    <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
    <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
    <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
    <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
</RelyingParty>

...

  • signResponses - indicates whether response messages should be signed, permissible values: always, conditional, never (default value: conditional)
  • signAssertions - indicates whether assertions, within a message, should be signed, permissible values: always, conditional, never (default value: never)
  • signRequests - indicated whether request message should be signed, permissible values: always, conditional, never (default value: conditional). This option is not currently used by the IdP because there is currently no support for profiles that require the IdP to make a request to another party. The first such profile will likely be Single Logout.
Code Block
xml
xml

<RelyingParty id="urn:example.org" provider="http://idp.example.org" defaultSigningCredentialRef="ExampleOrgCred">
    <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
    <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"/>
    <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
    <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" signAssertions="always"/>
    <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"/>
    <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
</RelyingParty>

...

  • encryptAssertions - indicates whether assertions should be encrypted, permissible values: always, conditional, never (default value: conditional)
  • encryptNameIds - indicates whether the NameIDs should be encrypted, permissible values: always, conditional, never (Default value: never)
Code Block
xml
xml

<RelyingParty id="urn:example.org" provider="http://idp.example.org" defaultSigningCredentialRef="ExampleOrgCred">
    <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
    <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"/>
    <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
    <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptNameIDsencryptNameIds="conditional" />
    <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
    <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
</RelyingParty>

...