| Info |
|---|
This information was last reviewed in JulyMay, 20182019, by Scott Cantor. Change Log: 5/2019: Updates from latest round of testing of encryption and logout. 7/32019: Incomplete information regarding their encryption support. 7/22019: This was created by copying an original page supplied by Lafeyette College, reformatting to fit the template, and correcting some mistakes as well as updating to reflect changes in their GUI. |
...
The signing and encryption options apparently result in the metadata being generated with a key, its properties unknown to me at the momentbut see below for my encryption results.
Once you determine what kind of <NameID> Format you intend to use down below, you'll need to add a <NameIDFormat> element to the SP's metadata before you load it into the IdP to trigger the right format to be selected at runtime. The element appears immediately ahead of the <AssertionConsumerService> element(s) in an SP's metadata.
...
ArcGIS supports vanilla SAML behavior without any special workarounds, excepting that it hasn't been successfully tested made to work with encryption enabled and their documentation claims that logout is not supported, even though their UI exposes those options. The encryption support may or may not actually With logout enabled, I observed it attempting to send a request, but inside a hidden frame (which the IdP won't handle well), and it was unsigned and also broken because they had removed the <NameID> element's Format attribute, which would cause the IdP to reject it as non-matching.
With encryption on, I got a validation error of some kind on their side. It's possible a different set of signing options or some other changes might have made it work.
Example Shibboleth Configuration
...