How to Ignore a Signature
Henry B. Hotz
hotz at jpl.nasa.gov
Sat Aug 4 02:09:00 EDT 2012
Which attribute in which config file do I do that in?
If you mean the AuthnRequestsSigned="False" in the SPSSODescriptor in the SPs metadata file, I've already done that.
The logs have an INFO message that the request isn't signed (which it is). Then it proceeds to verify the signature anyway. And fails because it doesn't have the key needed to verify the signature.
> 22:23:22.395 - WARN [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:195] - Simple signature validation (with no request-derived credentials) failed
> 22:23:22.395 - WARN [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:138] - Validation of request simple signature failed for context issuer: .....
> 22:23:22.404 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:379] - Message did not meet security requirements org.opensaml.ws.security.SecurityPolicyException: Validation of request simple signature failed for context issuer
On Aug 3, 2012, at 8:13 AM, Chad La Joie wrote:
> You can adjust the security policy for the SAML 2 authn request profile.
>
> On Fri, Aug 3, 2012 at 11:07 AM, Henry B. Hotz <hotz at jpl.nasa.gov> wrote:
>> I've got a service provider which is (so far) bureaucratically unable to provide me with the cert needed to verify the signature on their authentication requests. Is there an easy way to tell the IDP to ignore the signature?
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the users
mailing list