How to Ignore a Signature

Nate Klingenstein ndk at internet2.edu
Sat Aug 4 02:16:06 EDT 2012 

Henry,

Try near the end of relying-party.xml.  Look for:

     <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy"  
xsi:type="security:SecurityPolicyType">

I believe you want to turn off(by commenting it out):

         <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>

Thanks,
Nate.

On Aug 4, 2012, at 6:09 , Henry B. Hotz wrote:

> Which attribute in which config file do I do that in?
>
> If you mean the AuthnRequestsSigned="False" in the SPSSODescriptor  
> in the SPs metadata file, I've already done that.
>
> The logs have an INFO message that the request isn't signed (which  
> it is).  Then it proceeds to verify the signature anyway.  And fails  
> because it doesn't have the key needed to verify the signature.
>
>> 22:23:22.395 - WARN  
>> [org 
>> .opensaml 
>> .common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule: 
>> 195] - Simple signature validation (with no request-derived  
>> credentials) failed
>> 22:23:22.395 - WARN  
>> [org 
>> .opensaml 
>> .common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule: 
>> 138] - Validation of request simple signature failed for context  
>> issuer: .....
>> 22:23:22.404 - WARN  
>> [edu 
>> .internet2 
>> .middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:379] -  
>> Message did not meet security requirements  
>> org.opensaml.ws.security.SecurityPolicyException: Validation of  
>> request simple signature failed for context issuer
>
>
> On Aug 3, 2012, at 8:13 AM, Chad La Joie wrote:
>
>> You can adjust the security policy for the SAML 2 authn request  
>> profile.
>>
>> On Fri, Aug 3, 2012 at 11:07 AM, Henry B. Hotz <hotz at jpl.nasa.gov>  
>> wrote:
>>> I've got a service provider which is (so far) bureaucratically  
>>> unable to provide me with the cert needed to verify the signature  
>>> on their authentication requests.  Is there an easy way to tell  
>>> the IDP to ignore the signature?
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list