Shibboleth Developers

[Ian Young <>]

Alistair Young wrote:

> righto - saw that in the logs but it didn't seem to tie into any decision
> making process. By authenticated, do you mean the sp has to sign the
> attribute query?

As Scott says, this option isn't supported by Shibboleth 1.3, so for use
in the UK federation (which has a mixture of versions, plus other
software) you shouldn't assume that signing the query will work.

> Or does the IdP authenticate based on the x509 from the
> ssl connection?

This -- presenting the credential as a TLS client certificate -- is what
SPs in the UK federation should be doing by default.

> I'm presuming the IdP only consumes uk fed metadata so I
> can think of at least one route to investigate.

There are two IdPs with different issues with the same SP, if we're
talking about the one I think we're talking about (and I'm being vague
here as a hint that we should take further exchanges private).

I think both of them consume just UK federation metadata.

> Yes Ian, correct on that one. I suspect perhaps the sp's metadata isn't in
> the fed metadata but I'll pursue that elsewhere.

The SP in question is in the UK federation metadata.

        -- Ian