idp v3 - unsolicited sso failing
Cantor, Scott
cantor.2 at osu.edu
Sun Mar 15 14:55:04 EDT 2015
On 3/15/15, 2:35 PM, "Marc Boorshtein" <mboorshtein at gmail.com> wrote:
>While I understand your argument, it goes counter to most other SAML products. Adfs, openam, oif, ping, etc all work this way.
That makes me feel quite a bit more confident about my conclusion.
> Also you aren't circumventing signing the authn request you are kicking off authentication directly from the idp so its not exactly the same thing.
You cannot kick off authentication from the IdP, you can only do it from a client. If that request is unsigned, then we aren't requiring signed requests ergo the feature isn't being honored. Security settings you can circumvent that easily really are broken.
-- Scott
More information about the users
mailing list