unsigned authN requests
Nate Klingenstein
ndk at internet2.edu
Wed Jun 5 20:29:50 EDT 2013
There's not in practice much value to be gained by signing an authentication request because of the other checks in the SAML 2.0 Web Browser SSO profile. If any of those fields is mucked with by the user, it will generally have no practical consequences and/or cause the request to fail.
The only major exception, I think, is forceAuthn="true", and an SP can validate the authentication instant to ensure that a fresh authentication was received.
On Jun 6, 2013, at 0:23 , David Bantz wrote:
You also wrote that it's unusual to sign requests, contrary to what I assumed.
Doesn't signing provide some assurance that the message is "real" and thus add value?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130606/bb0d8038/attachment.html
More information about the users
mailing list