Disabling SAML assertion encryption

By: Thomas Maerz user 13 Apr 2016 at 2:59 p.m. CDT

4 Responses
Thomas Maerz gravatar
I've submitted a feature request to have the GUI do this: [https://github.com/GluuFederation/oxIdp/issues/4](https://github.com/GluuFederation/oxIdp/issues/4) For now I'd like to do it manually to get my project going. The SP we're integrating with doesn't do SAML assertion encryption and they'd like us to disable SAML assertion encryption on our idP for their relyingparty to test. They want us to change relying-party.xml but I know that gluu uses .vm velocity templates, so I'm unsure of how to make this change. Suggested edit: ``` <rp:DefaultRelyingParty provider="https://www.wrike.com"defaultSigningCredentialRef="IdPCredential">... <rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="never" signAssertions="always" encryptAssertions="never" encryptNameIds="never"/>...</rp:DefaultRelyingParty> ``` vm template contents: ``` <rp:AnonymousRelyingParty provider="$idpUrl/idp/shibboleth" defaultSigningCredentialRef="IdPCredential" /> <rp:DefaultRelyingParty provider="$idpUrl/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"> <!-- Each attribute in these profiles configuration is set to its default value, that is, the values that would be in effect if those attributes were not present. We list them here so that people are aware of them (since they seem reluctant to read the documentation). --> <rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false" assertionLifetime="PT5M" signResponses="conditional" signAssertions="never" /> <rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" assertionLifetime="PT5M" signResponses="conditional" signAssertions="never" /> <rp:ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional" signAssertions="never" /> <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="conditional" signAssertions="never" encryptAssertions="conditional" encryptNameIds="never" /> <rp:ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="conditional" signAssertions="never" encryptAssertions="conditional" encryptNameIds="never" /> <rp:ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" signResponses="conditional" signAssertions="never" encryptAssertions="conditional" encryptNameIds="never"/> </rp:DefaultRelyingParty> ``` How can I integrate this change into my current configuration without interfering with the template structure?
None
closed

Answers

By Mohib Zico Account Admin 13 Apr 2016 at 3:11 p.m. CDT

Copy
Mohib Zico gravatar
It's already there. Check out the 'Relying Party Configuration' in [doc](https://gluu.org/docs/integrate/outbound-saml/#saml-trust-relationship).

By Michael Schwartz Account Admin 13 Apr 2016 at 3:18 p.m. CDT

Copy
Michael Schwartz gravatar
When you configure the "Trust Relationship" in oxTrust, there is a checkbox for "Configure specific RelyingParty" Then in the SAML2 SSO Profile, you have the following GUI (See attachment). Did you try that?
sign_assertion_ib4eFAo.png

By Thomas Maerz user 13 Apr 2016 at 3:33 p.m. CDT

Copy
Thomas Maerz gravatar
Thanks! I didn't see that. I also see the description in the documentation. Do I need to restart Gluu or tomcat or anything to make the changes take effect?

By Michael Schwartz Account Admin 13 Apr 2016 at 3:45 p.m. CDT

Copy
Michael Schwartz gravatar
When you update the configuration in oxTrust, it renders new XML, which is automatically reloaded by the Shibbboleth SAML IDP within five minutes. So just wait... You can check the XML that is rendered to see if you think it will work. If not, we may in fact need to look at an enhancement.

Post an answer