The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
ExportAssertions
- Scott Cantor
- Former user (Deleted)
Some advanced applications may find it useful to gain access to the SAML assertions that are used to identify the user at an SP. At the present time, this capability is limited to exporting a single base64-encoded <samlp:Response> element containing all assertions received in the message that delivers the user's attributes. This may be the result of a SOAP query, or it may be the original SSO message delivered during the session's creation in the case that attributes are pushed to the SP.
In ShibOnedotThree, the assertions are exactly as received and undergo no filtering of any kind, including evaluation of any SAML Condition elements, or AttributeAcceptancePolicy processing.
Another complication: SAML assertions can be quite large, particularly when signed or if many attributes or values are included. Web servers place limits on the size of request headers in order to prevent DOS attacks from clients. Most newer servers make the size limit configurable. For reference:
- Apache 2.0.53 and later: http://httpd.apache.org/docs/2.0/mod/core.html#limitrequestfieldsize
- IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;310156&sd=tech
However, if you still experience errors, there isn't any known workaround that will guarantee success. Consider upgrading to Shibboleth 2.0, which has a more robust mechanism for export.