Some advanced applications may find it useful to gain access to the SAML assertions that are used to identify the user at an SP. At the present time, this capability is limited to exporting a single base64-encoded <samlp:Response> element containing all assertions received in the message that delivers the user's attributes. This may be the result of a SOAP query, or it may be the original SSO message delivered during the session's creation in the case that attributes are pushed to the SP.
In ShibOnedotThree, the assertions are exactly as received and undergo no filtering of any kind, including evaluation of any SAML Condition elements, or AttributeAcceptancePolicy processing.
Another complication: SAML assertions can be quite large, particularly when signed or if many attributes or values are included. Web servers place limits on the size of request headers in order to prevent DOS attacks from clients. Most newer servers make the size limit configurable. For reference:
- Apache 2.0.53 and later: http://httpd.apache.org/docs/2.0/mod/core.html#limitrequestfieldsize
- IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;310156&sd=tech
%COMMENT%