Ian MacDonald
2014-09-08 05:57:39 UTC
Hi,
I have a requirement to add the <saml2:Audience> restriction to my IDP's
SAML2SSOProfile configuration.
From
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSAML2SSOProfileConfig
it
looks to me like I should be able to simply add a child element to the
Relying Party configuration.
I took my working RelyingParty configuration below:
<rp:RelyingParty id="https://service.providerlogin.com" provider="
https://my.idp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never" encryptNameIds="never"/>
</rp:RelyingParty>
And added the Audience Child Element similar to below:
<rp:RelyingParty id="https://service.providerlogin.com" provider="
https://my.idp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never" encryptNameIds="never">
<rp:Audience>https://saml2.providerlogin.com</rp:Audience>
</rp:ProfileConfiguration>
</rp:RelyingParty>
What I end up with is a SAXParseException error on the relying-party.xml
file that is confusing because it states that the element is incorrect, and
then lists it as potentially acceptable elements.
I can't seem to find any good examples using the Audience child element.
Any help appreciated. I'm expecting it's some simple attribute or
namespace error not obvious to me.
cheers,
Ian
I have a requirement to add the <saml2:Audience> restriction to my IDP's
SAML2SSOProfile configuration.
From
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSAML2SSOProfileConfig
it
looks to me like I should be able to simply add a child element to the
Relying Party configuration.
I took my working RelyingParty configuration below:
<rp:RelyingParty id="https://service.providerlogin.com" provider="
https://my.idp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never" encryptNameIds="never"/>
</rp:RelyingParty>
And added the Audience Child Element similar to below:
<rp:RelyingParty id="https://service.providerlogin.com" provider="
https://my.idp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
encryptAssertions="never" encryptNameIds="never">
<rp:Audience>https://saml2.providerlogin.com</rp:Audience>
</rp:ProfileConfiguration>
</rp:RelyingParty>
What I end up with is a SAXParseException error on the relying-party.xml
file that is confusing because it states that the element is incorrect, and
then lists it as potentially acceptable elements.
I can't seem to find any good examples using the Audience child element.
Any help appreciated. I'm expecting it's some simple attribute or
namespace error not obvious to me.
cheers,
Ian