signed responses from an IdP
cantor.2 at osu.edu
Mon Aug 17 16:36:23 EDT 2015
On 8/17/15, 4:30 PM, "users on behalf of Mark K. Miller" <users-bounces at shibboleth.net on behalf of max at psu.edu> wrote:
>So, if I just went and changed the profle in my default relying party to
>say "always" then the best practices would be in place and all the vendor
>SPs I deal with would continue to happily with my IdP, right? ;-)
The vast majority, and anything running Shibboleth. That's the V3 default. I can't guarantee nothing will break, there are SPs broken in the opposite way. We also automatically turn on assertion signing if the metadata says to, so that's also a workaround to prevent problems with SPs that really require it.
The specification requires that either Response or Assertion be signed, that's never changed. Any requirement beyond that is a local policy, usually applied with no regard for why.
More information about the users