Skip to main content

SAML2AttributeQueryProfile

Definition

Based on SAML version 1 standard. This profile is used when the SSOProfile does not include attributes statements in the assertion. This profile allows to the applications request user data.

When you are configuring the profile, you could define what data will be encripted and signed.

Screen overview

1 &&TODO&& se repite sign assertion, la segunda es sign Requests

2 &&TODO&&  En encrypt assertions no hay lista desplegable

3 &&TODO&& ¿Que ocurre si selecciono la opcion en blanco? ¿cómo se comportaría?

image-1638534055413.png

Standard attributes

  • Class: class name (readOnly field).
  • Enabled: if it is checked (selected option is Yes) that protocol will be enable. 
  • Sign Responses: usually it is set to conditional or always, so as the service provider can verify the response authenticity.
  • Sign Assertions: is usually set to never, as long as the response is already signed.
  • Sign Request: not used, as the service provider will not need to generate requests.
  • Encrypt Assertions: is a desired feature, but some service providers, mainly public cloud service providers do not support it. Thus, the default value is to never encrypt, but you can set it to optional or always as needed.
    • If you set it to optional and the public key of the service provider who is going to receive the assertion is available, it will be used to encrypt it.
    • If you set it to never, it will not ever be encrypted in any case.
    • If you set it to always, but the remote service provider encryption key is unknown, an exception will be raised.
  • Encrypt NameIds: should be let to never.
  • Assertion Proxy Count: sets the maximum number of hops that can be accepted for any assertion. A number of 0 does not set any limit.