Ang.: Re: Unsoclicited SSO questions

Rod Widdowson rdw at
Fri May 29 04:44:08 EDT 2015

> The service provider metadata SSODescriptior is defined as this:  <md:SPSSODescriptor AuthnRequestsSigned="true" 
> WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

This is the SP saying "I am the only person who is allowed to solicit SSO, you can tell that it's me because I'll sign the requests".  They cannot tell you this and then say "We will not solicit requests, you have to do that".  It's like saying "Our only contact will be when I phone you so I'm withholding my phone number, but you have to phone me".

As I see it, technically, you have three solutions:

1) Obey the SPs commands and not service them.  Probably not a meaningful solution.

2) Tell the SP that in order to service their requirements you need a copy of their private key so that you can sign the requests.  Yes, this is a tongue in cheek suggestion, but it is a technical solution to the problem (and I fear given the cluefullness displayed by the SP thusfar it might succeed).

3) Edit the metadata (or better still tell the SP to edit the metadata) to remove the 'WantAssertionsSigned="true"'.  This will be problematic if the metadata is signed, but from what I gather this won't be the case.



More information about the users mailing list