signed responses from an IdP

Cantor, Scott cantor.2 at
Mon Aug 17 16:36:23 EDT 2015

On 8/17/15, 4:30 PM, "users on behalf of Mark K. Miller" <users-bounces at on behalf of max at> wrote:

>So, if I just went and changed the profle in my default relying party to 
>say "always" then the best practices would be in place and all the vendor 
>SPs I deal with would continue to happily with my IdP, right?  ;-)

The vast majority, and anything running Shibboleth. That's the V3 default. I can't guarantee nothing will break, there are SPs broken in the opposite way. We also automatically turn on assertion signing if the metadata says to, so that's also a workaround to prevent problems with SPs that really require it.

The specification requires that either Response or Assertion be signed, that's never changed. Any requirement beyond that is a local policy, usually applied with no regard for why.

-- Scott

More information about the users mailing list