How to Ignore a Signature

Brent Putman putmanb at
Sat Aug 4 15:55:42 EDT 2012

On 8/4/12 2:16 AM, Nate Klingenstein wrote:
> Henry,
> Try near the end of relying-party.xml.  Look for:
>      <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy"  
> xsi:type="security:SecurityPolicyType">

Yes, that's the right place, but...

> I believe you want to turn off(by commenting it out):
>          <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>

Nope, this rule is not about evaluating signatures.  It's the one that
enforces that the AuthnRequest is required to be signed if the SP's
metadata indicates that it will always sign AuthnRequest's.

The ones that actually evaluate the protocol message signature are these:

<security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
<security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
<security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"

That one that's relevant depends on which mechanism was used to sign the
inbound message, which is basically determined by the binding in use.

> On Aug 4, 2012, at 6:09 , Henry B. Hotz wrote:
>> The logs have an INFO message that the request isn't signed (which  
>> it is).

Based on the below, the signature appears to be signed with the HTTP
Redirect binding's "simple" (i.e. non-XML) signature (or less likely the
HTTP Post SimpleSign). So the first message about message not being
signed is coming from the ProtocolWithXMLSignature rule, which is just
saying that the AuthnRequest isn't signed with XML Signature.  That's
normal and expected.

>>> 22:23:22.395 - WARN  
>>> [org 
>>> .opensaml 
>>> 195] - Simple signature validation (with no request-derived  
>>> credentials) failed
>>> 22:23:22.395 - WARN  
>>> [org 
>>> .opensaml 
>>> 138] - Validation of request simple signature failed for context  
>>> issuer: .....
>>> 22:23:22.404 - WARN  
>>> [edu 
>>> .internet2 
>>> .middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:379] -  
>>> Message did not meet security requirements  
>>> Validation of  
>>> request simple signature failed for context issuer

It would appear you most likely the SP is sending via the  HTTP Redirect
binding here, which is normal and expected.  Just FYI.

>> On Fri, Aug 3, 2012 at 11:07 AM, Henry B. Hotz <hotz at>
>> wrote:
>>>> I've got a service provider which is (so far) bureaucratically  
>>>> unable to provide me with the cert needed to verify the signature  
>>>> on their authentication requests.  Is there an easy way to tell  
>>>> the IDP to ignore the signature?

SAML 2 AuthnRequest's are very often not signed by default.  It seems a
bit interesting and odd that they insist on signing the request message,
but then won't give you the cert needed to verify. Sounds like they need
to have some internal conversations re: deployment choices vis-a-vis
admin procedures.


More information about the users mailing list