Ang: Re: Unsoclicited SSO questions
cantor.2 at osu.edu
Thu May 28 12:33:30 EDT 2015
On 5/28/15, 11:09 AM, "users on behalf of Paul Hethmon" <users-bounces at shibboleth.net on behalf of paul.hethmon at clareitysecurity.com> wrote:
>However, I suspect that the signed request is not the problem, but the SP consuming the SAML Response. I don’t think (but I am not positive) that the SAML Response includes any information about whether the request was signed or not.
It does not.
> If it does not have that information, then the SP is choking on something else.
Very likely. So if you (the OP) are the one jumping to the conclusion that this has anything to do with the request, just stop; you're incorrect. If the vendor is claiming that, then you now know the vendor doesn't know what they're doing with the technology and you will be stuck debugging their system for them and you should add some time to your project plan to account for that eventuality.
More information about the users