authn request signing

Mark K. Miller max at
Thu Nov 3 17:27:48 GMT 2011

On Thu, 3 Nov 2011, Cantor, Scott wrote:

> On 11/3/11 11:26 AM, "Mike Flynn" <shibbolethlynda at> wrote:
>> And then
>> did a test with Max at PSU.  It failed.
> If it failed, then I would imagine your metadata must be wrong. The only
> reason it should fail is if your signature wasn't trusted.

I imagine that you imagine correctly (as always.)

I feel real silly that I didn't realize this.  Especially, given that upon 
declaring the test a failure I went right off and updated my metadata 
because Mike was up to the steps in the key rollover process where he had 
added another cert to the metadata.

In a separate note directly to Mike, I suggested we repeat the test and I 
expect it'll work now.

Thanks, Scott!

>> Do I need to include the encryption setting and have it set to true along
>> with signing="true"?
> There is nothing in the request that's encrypted, the setting won't matter.
>> If these values are not present in the ApplicationDefaults, I presume
>> that Shibboleth defaults them both to false - correct?
> Yes; you can find that out in the documentation. I documented every
> setting.
>> Is this customer wrong when they indicate that authn request signing will
>> have no impact on existing Idps?  I assume they are since PSU's shib
>> connection attempt failed.  Or, would setting both encryption and signing
>> on applicationdefaults have prevented the error?
> No, and any time the metadata is wrong, virtually anything can fail.
> You can also override the setting for the specific relying party, as
> documented.
> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list