authn request signing
Mark K. Miller
max at psu.edu
Thu Nov 3 19:37:59 GMT 2011
Mike and I just finished testing again; it works now. Scott was
absolutely correct about the metadata.
Thanks for your help, Scott!
On Thu, 3 Nov 2011, Mark K. Miller wrote:
> On Thu, 3 Nov 2011, Cantor, Scott wrote:
>> On 11/3/11 11:26 AM, "Mike Flynn" <shibbolethlynda at yahoo.com> wrote:
>>> And then
>>> did a test with Max at PSU. It failed.
>> If it failed, then I would imagine your metadata must be wrong. The only
>> reason it should fail is if your signature wasn't trusted.
> I imagine that you imagine correctly (as always.)
> I feel real silly that I didn't realize this. Especially, given that upon
> declaring the test a failure I went right off and updated my metadata
> because Mike was up to the steps in the key rollover process where he had
> added another cert to the metadata.
> In a separate note directly to Mike, I suggested we repeat the test and I
> expect it'll work now.
> Thanks, Scott!
>>> Do I need to include the encryption setting and have it set to true along
>>> with signing="true"?
>> There is nothing in the request that's encrypted, the setting won't matter.
>>> If these values are not present in the ApplicationDefaults, I presume
>>> that Shibboleth defaults them both to false - correct?
>> Yes; you can find that out in the documentation. I documented every
>>> Is this customer wrong when they indicate that authn request signing will
>>> have no impact on existing Idps? I assume they are since PSU's shib
>>> connection attempt failed. Or, would setting both encryption and signing
>>> on applicationdefaults have prevented the error?
>> No, and any time the metadata is wrong, virtually anything can fail.
>> You can also override the setting for the specific relying party, as
>> -- Scott
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users