unsigned authN requests
David Bantz
dabantz at alaska.edu
Wed Jun 5 20:23:55 EDT 2013
Thanks Scott!
You also wrote that it's unusual to sign requests, contrary to what I assumed.
Doesn't signing provide some assurance that the message is "real" and thus add value?
David
On Wed, 5 Jun 2013, at 16:17 , "Cantor, Scott" <cantor.2 at osu.edu> wrote:
> On 6/5/13 8:08 PM, "David Bantz" <dabantz at alaska.edu> wrote:
>>
>> So possibly it was signed using a different certificate than in the
>> metadata I imported?
>> Other common/likely/obvious ways to trigger this?
>
> I had a case recently where I had botched the metadata and put the wrong
> entityID in. I haven't taken the time to investigate the code, but it
> seemed to trigger this error instead of the more expected error message of
> it being an unknown/unregistered entityID. So that would be one other
> possible cause.
>
> Using the SAML Tracer FF extension you can see what's in the AuthnRequest
> and compare that to the metadata.
>
> If it's a key/sig problem, it's tougher, because the key's not in the
> message. The only thing you can do is say that it's invalid, and then it's
> on them to debug it. It could be that their code is simply broken unless
> they have evidence it works with another known correct implementation.
>
> So short of just giving them the certificate you had on file and telling
> them to be absolutely sure that's the public half of the signing key, not
> much else can be done.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list