Shibboleth Developers

[Chad La Joie <>]

Dharam Veer wrote:
> Your suggestion to use Mandatory... security rule works.
> So is it correct to say that security rules are written such that they do
> take into consideration metadata and it's actually combination of both that
> they would make a security rule fail or pass.

I'd have to look, some rules do use metadata (e.g. the cert based ones) 
some do not.  None of them use metadata though to determine which 
bindings are usable.  That's determined before the security policy ever 
gets invoked.  If the IdP doesn't support the binding and thus can't 
decode the message it obviously can't apply a security policy to that.

> For this specific case since for Redirect Binding in metadata there is no
> way of saying that SimpleSign is required the implementation is the way it
> is.

Yes there is.  On the IDPSSODescriptor you set the 
'WantAuthnRequestSigned' attribute to true and then in the list of 
SingleSignOnService endpoints you list the simplesign redirect binding. 
 If that's the only mechanism you want to allow then that's the only 
endpoint that you list.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch