OpenSAML user discussion

[Andreas Vallen <>]

Hello Tom,

Thanks for pointing me to the "WantAssertionsSigned" metadata attributes. I didn't know 
that it is used for exactly this purpose.

Access Manager (version: 7.0/05Q4 + SAMLv2 plugin) does not dynamically resolve a partner 
entity's metadata as proposed by the "well-known location" method in the metadata spec. 
However it produces and uses metadata for its own configuration. So possibly it is no 
Access Manager bug after all - I will try again with "WantAssertionSigned" set to 'false'.

Given this metadata option it seems reasonable to make this option also configurable 
inside opensaml2's Encoders that do the signing.

Andreas


Tom Scavo wrote:
> On 1/15/07, Andreas Vallen 
> <>
>  wrote:
> > The version of the Sun Access Manager product that we test our 
> > opensaml-based IDP against,
> > expects the Assertion element instead of the Response element to be 
> > signed (in the case of
> > successfull Responses).
> >
> > This is clearly a Access Manager bug - it should work either way.
>
> FYI, a Shibboleth SP (which is based on OpenSAML) communicates its
> desire for signed assertions via metadata:
>
>    <md:SPSSODescriptor
>      WantAssertionsSigned="true"
>      protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
>
> So now I'm curious ;-) does Sun Access Manager produce SAML metadata,
> and does your IdP consume it?
>
> Tom