How to Ignore a Signature

Henry B. Hotz hotz at
Sat Aug 4 02:09:00 EDT 2012

Which attribute in which config file do I do that in?

If you mean the AuthnRequestsSigned="False" in the SPSSODescriptor in the SPs metadata file, I've already done that.  

The logs have an INFO message that the request isn't signed (which it is).  Then it proceeds to verify the signature anyway.  And fails because it doesn't have the key needed to verify the signature.

> 22:23:22.395 - WARN [] - Simple signature validation (with no request-derived credentials) failed
> 22:23:22.395 - WARN [] - Validation of request simple signature failed for context issuer: .....
> 22:23:22.404 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:379] - Message did not meet security requirements Validation of request simple signature failed for context issuer

On Aug 3, 2012, at 8:13 AM, Chad La Joie wrote:

> You can adjust the security policy for the SAML 2 authn request profile.
> On Fri, Aug 3, 2012 at 11:07 AM, Henry B. Hotz <hotz at> wrote:
>> I've got a service provider which is (so far) bureaucratically unable to provide me with the cert needed to verify the signature on their authentication requests.  Is there an easy way to tell the IDP to ignore the signature?

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the users mailing list