idp v3 - unsolicited sso failing

Cantor, Scott cantor.2 at osu.edu
Sun Mar 15 14:55:04 EDT 2015


On 3/15/15, 2:35 PM, "Marc Boorshtein" <mboorshtein at gmail.com> wrote:

>While I understand your argument, it goes counter to most other SAML products. Adfs, openam, oif, ping, etc all work this way.

That makes me feel quite a bit more confident about my conclusion.

> Also you aren't circumventing signing the authn request you are kicking off authentication directly from the idp so its not exactly the same thing.

You cannot kick off authentication from the IdP, you can only do it from a client. If that request is unsigned, then we aren't requiring signed requests ergo the feature isn't being honored. Security settings you can circumvent that easily really are broken.

-- Scott



More information about the users mailing list