Ang: Re: Unsoclicited SSO questions

Paul Hethmon paul.hethmon at
Thu May 28 11:09:10 EDT 2015

Your SP is asking for mutually exclusive things. By definition the SP signs the request with their “private” key. The IdP verifies it with the “public” key. An IdP initiated flow is simply done by creating an AuthnRequest for the particular SP. The IdP does not have the private key of the SP do that. If the SP were to give you the private key in order to create a signed request, then they have exposed their private key and essentially made the use of the keys a moot point. The key is out in the open.

However, I suspect that the signed request is not the problem, but the SP consuming the SAML Response. I don’t think (but I am not positive) that the SAML Response includes any information about whether the request was signed or not. If it does not have that information, then the SP is choking on something else.

On May 28, 2015, at 10:44 AM, Johan Romin <johan.romin at<mailto:johan.romin at>> wrote:

That much I understand, still the service provider doesn't want to change their implementation as they see this as a neccesary feature.
I've tried to alter the metadata on our end not to require a signed authn request and that just passes our end but then halts on the service provider end that then cannot validate our message.
Could this be managed by some kind of initation through a local service provider that I setup on the idp that creates the signeds authn request which in turn gets forwarded to the unsolicited sso servlet?

Paul Hethmon
Chief Software Architect
paul.hethmon at<mailto:paul.hethmon at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list