unsigned authN requests

David Bantz dabantz at alaska.edu
Wed Jun 5 20:23:55 EDT 2013


Thanks Scott!

You also wrote that it's unusual to sign requests, contrary to what I assumed.  
Doesn't signing provide some assurance that the message is "real" and thus add value?

David

On Wed, 5 Jun 2013, at 16:17 , "Cantor, Scott" <cantor.2 at osu.edu> wrote:

> On 6/5/13 8:08 PM, "David Bantz" <dabantz at alaska.edu> wrote:
>> 
>> So possibly it was signed using a different certificate than in the
>> metadata I imported?
>> Other common/likely/obvious ways to trigger this?
> 
> I had a case recently where I had botched the metadata and put the wrong
> entityID in. I haven't taken the time to investigate the code, but it
> seemed to trigger this error instead of the more expected error message of
> it being an unknown/unregistered entityID. So that would be one other
> possible cause.
> 
> Using the SAML Tracer FF extension you can see what's in the AuthnRequest
> and compare that to the metadata.
> 
> If it's a key/sig problem, it's tougher, because the key's not in the
> message. The only thing you can do is say that it's invalid, and then it's
> on them to debug it. It could be that their code is simply broken unless
> they have evidence it works with another known correct implementation.
> 
> So short of just giving them the certificate you had on file and telling
> them to be absolutely sure that's the public half of the signing key, not
> much else can be done.
> 
> -- Scott
> 
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net



More information about the users mailing list