shibboleth-dev - Re: Shib 2 IdP, problem encrypting assertion
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: Shib 2 IdP, problem encrypting assertion
- Date: Wed, 05 Dec 2007 17:08:52 -0800
- Organization: SWITCH
I had encryption turned off, by default, because when I added support for it I didn't want it on, by default, in case it was buggy. I didn't want to break anyone's current test setup. Turns out it was buggy (thanks Apache).
Now that that kink seems to be resolved I do think we should enable it by default.
Scott Cantor wrote:
Ah, it's all coming back to me now.... I suppose that's the right thingto
do from a "be safe" standpoint. FYI, so looks like we currently default
(based on the config file schema) to attribute push with no encryption.
I would personally like to see encryption on by default for SAML 2. Right
now, we've always relied on the SP having a key, so I would see that as a
minimal change. It's a big change for other SAML deployments that are push
only, but with the callback, we sort of hit all that pain up front, may as
well take advantage of it.
Note that it won't affect any truly existing deployments, since they're not
SAML 2 anyway. If you give it most federation's metadata without keys,
nothing breaks since only SAML 1/Shib are supported there anyway.
So if people turn on encryption of assertions or name ID's for the default
relying party, then they'll need to know to override and turn it off for
specific relying parties that don't publish keys, or it will result in a
fatal error for the latter.
I think that's acceptable in light of the general attitude that encryption
is the right thing to do.
2.0?I also think both front and back channel should be controllableAlso sounds reasonable. Were you going to add the former? Or not for
independently. I have that ability, but not the former right now.
I don't know yet, probably not, because the SP can normally count on the IdP
having a key, and for 2.0 there won't be much encryption that direction
anyway.
-- Scott
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/04/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/04/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Message not available
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Message not available
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Chad La Joie, 12/05/2007
- RE: Shib 2 IdP, problem encrypting assertion, Scott Cantor, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/05/2007
- <Possible follow-up(s)>
- Fwd: Re: Shib 2 IdP, problem encrypting assertion, Steven_Carmody, 12/05/2007
- Re: Shib 2 IdP, problem encrypting assertion, Brent Putman, 12/04/2007
Archive powered by MHonArc 2.6.16.