signed responses from an IdP

Mark K. Miller max at
Mon Aug 17 16:30:58 EDT 2015

On Mon, 17 Aug 2015, Cantor, Scott wrote:

> Signing the response is current best practice anyway,

Since you know I'm not just 'playing dumb' this next question will be 
really easy!

So, if I just went and changed the profle in my default relying party to 
say "always" then the best practices would be in place and all the vendor 
SPs I deal with would continue to happily with my IdP, right?  ;-)

>                                                       but I can't tell 
> you the settings on the Ping side. The main reason to require a signed 
> response is preventing attacks against XML Encryption, but I'm sure that 
> isn't why they're requiring it.

I'm sure too.  And, you are correct again!

> -- Scott

Thank you, Scott!


More information about the users mailing list