The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

The primary channel for communication of user information between the SP software and the web applications running behind it is the use of CGI request headers or environment variables. Some applications have advanced requirements for which access to actual SAML assertions can be useful. For these cases, the SP is able to provide the assertions it receives, but cannot do so in the same way due to size. Instead, a simple query mechanism is used.

Since the primary use case for this feature involves the forwarding or delegation of signed assertions, the XML is passed along unmodified from the issuer. As a result, although some security checking has been performed prior to caching, the data itself is left alone. Attribute filtering is not reflected in the results.

When instructed to do so for a request (via the exportAssertion content setting), the application will be given a header or variable called Shib-Assertion-Count with the number of assertions that are available.

The URL to query for each assertion is passed in an individual header or variable named Shib-Assertion-NN, where NN is the two-digit sequence number of the assertion(01, 02, etc). Performing a GET on that location will result in the assertion, with a MIME type of "application/samlassertion+xml".

Note that in order for export to occur, the exportLocation and exportACL properties must be set for the relevant application's <Sessions> element.

  • No labels