Specialized Relying Party Configurations

If you are trying to communicate with a new service provider you are probably in the wrong place, you want to be here.

Before attempting to change relying party configurations be sure you understand the concept of a relying party. Also, note, changing these configuration is an intermediate-level configuration task, is not generally needed in most deployments, and should only by done by deployers with a good understanding of how shibboleth and federated identity management works.

Configuring a Relying Party

The configuration for communicating with relying parties is located in $IDP_HOME/conf/relying-party.xml.

The <AnonymousRelyingParty> and <DefaultRelyingParty> elements requires the following attribute:

The <RelyingParty> element requires the following attributes:

All three elements support the following, optional, attributes:

Profile Configuration

Each type of relying party element may have zero or more configured communication profiles. A relying party which attempts to communicate with the IdP using a profile that is not configured is returned an error indicating that the communication is not allowed.

Each profile configuration is identified by a <ProfileConfiguration> element and is a child of the relying party configuration element. The following profile configurations are currently supported:

Each profile configuration can also take an optional securityPolicyRef attribute identifying a custom/overridden set of policy rules defined later in the file. This is rarely needed, but allows for per-RP customization of security policy rules.

Example Relying Party Configurations

The following example enables the SAML 1 and SAML 2 profiles for default relying parties.

<DefaultRelyingParty provider="urn:example.org:idp1">
   <ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" />
   <ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" />
   <ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" />
   <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
   <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />
   <ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" />

The following example disables communication with any anonymous relying party.

<AnonymousRelyingParty provider="urn:example.org:idp1" />

The following example disables all SAML 1 profiles and  SAML 2 artifact support and sets a default authentication mechanism for a specified relying party (or relying party group).

<RelyingParty id="urn:example.org"
   <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
   <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" />