x509 certificate in SAML2 IdP response

Cantor, Scott cantor.2 at osu.edu
Wed May 27 10:10:50 EDT 2015

On 5/27/15, 10:02 AM, "users on behalf of Rob Ansaldo" <users-bounces at shibboleth.net on behalf of rlansaldo at amherst.edu> wrote:

>I am working with a vendor as a service provider that is having trouble validating our IdP SAML2 response to their urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST endpoint. In troubleshooting this problem, I observed that our Shibboleth 2.4 IdP is sending the SP’s x509 certificate in the response, but signing the response properly with our own certificate.

No, it's encrypting the assertion with the SP's key and sending that certificate in the EnnryptedKey's KeyInfo. You're confusing the two.

-- Scott

More information about the users mailing list