Failure to validate Response Signature

Cantor, Scott cantor.2 at osu.edu
Fri Oct 5 17:59:24 EDT 2012


On 10/5/12 4:36 PM, "Rainer Hoerbe" <rainer at hoerbe.at> wrote:
>
>For the time being I think I cannot use the PKIX trust engine either, as
>it does not allow for an intermediate CA according the the documentation.

That isn't the case.

>I tried to exclude the XMLSigning policy, but received a "OneTimeUse
>condition not successfully validated by policy" message. I wonder,
>because my understanding was that Shibboleth will maintain a cache of
>received assertion IDs and reject any reuse.

It does, but that's a special "nobody uses it" condition type that isn't a
typical element and doesn't have anything to do with replay. It has no
clear semantic, and is best avoided.

>Adding a <PolicyRule type="Ignore">saml2:OneTimeUse</PolicyRule> under
>Conditions did not change anything. I even checked that the IDP issued
>unique IDs for each response and assertion. Is there some documentation
>to read more about the OneTimeUse?

It's not a part of the SSO profile. Using the Ignore syntax should work.

-- Scott




More information about the users mailing list