...
- the attribute
defaultSigningCredentialRef
located on aRelyingParty
element - the attribute
signingCredentialRef
located on aProfileConfiguration
element
As you may have guessed, thedefaultSigningCredentialRef
attribute is used to specify a default signing credential for every profile configuration contained with theRelyingParty
while thesigningCredentialRef
attribute is used to specify a signing credential only for theProfileConfiguration
upon which it appears and it always overrides a default signing credential if one is specified. The value for both attributes is the ID of a credential defined within the $IDP_HOME/conf/relying-party.xml file. Note: the referenced credentials MUST contain a private as this is what is actually used to sign the XML.
Code Block | ||||
---|---|---|---|---|
| ||||
<RelyingParty id="urn:example.org" provider="http://idp.example.org" defaultSigningCredentialRef="ExampleOrgCred">
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" signingCredentialRef="SAML1AACred"/>
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
</RelyingParty>
|
...
- signResponses - indicates whether response messages should be signed, permissible values: always, conditional, never (default value: conditional)
- signAssertions - indicates whether assertions, within a message, should be signed, permissible values: always, conditional, never (default value: never)
- signRequests - indicated whether request message should be signed, permissible values: always, conditional, never (default value: conditional). This option is not currently used by the IdP because there is currently no support for profiles that require the IdP to make a request to another party. The first such profile will likely be Single Logout.
Code Block | ||||
---|---|---|---|---|
| ||||
<RelyingParty id="urn:example.org" provider="http://idp.example.org" defaultSigningCredentialRef="ExampleOrgCred">
<ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
<ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"/>
<ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" signAssertions="always"/>
<ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile"/>
<ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />
</RelyingParty>
|
...
- encryptAssertions - indicates whether assertions should be encrypted, permissible values: always, conditional, never (default value: conditional)
- encryptNameIds - indicates whether the NameIDs should be encrypted, permissible values: always, conditional, never (Default value: never)
Code Block | ||||
---|---|---|---|---|
| ||||
<RelyingParty id="urn:example.org" provider="http://idp.example.org" defaultSigningCredentialRef="ExampleOrgCred"> <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" /> <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile"/> <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" /> <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptNameIDsencryptNameIds="conditional" /> <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" /> <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" /> </RelyingParty> |
...