authn request signing

Mike Flynn shibbolethlynda at
Thu Nov 3 15:26:54 GMT 2011

I have a customer running an Oracle based Shibboleth Idp.  After setting up their private federation (added session initiator and metadata for them), they attempted to test and then told me that my authn request needs to be signed.  The customer indicated that all I needed to do was to add signing="true" to my application defaults.  They also indicated that it would have no impact on existing Idps.

My Application Defaults looks like this:

<ApplicationDefaults  id="default" policyId="default" REMOTE_USER="eppn" entityID="" homeURL="">

I updated it to:

     <ApplicationDefaults  signing="true" id="default" policyId="default" REMOTE_USER="eppn" entityID="" homeURL="">

And then did a test with Max at PSU.  It failed.  Max dug up another example of this section as provided as a default for a shib SP install that looks like this:

   <ApplicationDefaults id="default" policyId="default" entityID="" REMOTE_USER="eppn persistent-id targeted-id" signing="false" encryption="false">

So, my questions are:

Do I need to include the encryption setting and have it set to true along with signing="true"?
If these values are not present in the ApplicationDefaults, I presume that Shibboleth defaults them both to false - correct?
Is this customer wrong when they indicate that authn request signing will have no impact on existing Idps?  I assume they are since PSU's shib connection attempt failed.  Or, would setting both encryption and signing on applicationdefaults have prevented the error?

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list