The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.


SAML 2.0

Options common to SAML 2.0 profiles:

encryptionOptionalBooleanfalseWhether to automatically disable encryption if the relying party does not possess a suitable key
encryptAssertionsPredicate<ProfileRequestContext>varies by profileWhether to encrypt assertions
encryptNameIDsPredicate<ProfileRequestContext>varies by profileWhether to encrypt NameIDs
encryptAttributesPredicate<ProfileRequestContext>falseWhether to encrypt attributes


The encryption options are generally set correctly for each different profile; see the notes on the individual profile pages. We provide Spring support so you can just set them to "true" or "false" as though they are boolean-valued, but they also directly support the more dynamic approach of deriving the value with a bean.

Note that when the conditions to encrypt various constructs evaluate to true, the IdP will fail the request if it is unable to perform the encryption, for whatever reason. This is overrideable using the encryptionOptional property, which allows the IdP to encrypt if it can but continue otherwise. If you carefully control your metadata sources, which you should do in any case, you should be able to trust that any SP lacking an encryption key is incapable of encryption anyway, making the property safe to enable.