Ang.: RE: Ang.: Re: Unsoclicited SSO questions
morgan at orst.edu
Fri May 29 15:52:57 EDT 2015
Remove AuthnRequestsSigned="true". Put WantAssertionsSigned="true" back
in the metadata. I'm pretty sure that's what Rod meant to say.
You can also override the metadata settings (at least, I think it
overrides what is in metadata) on a per-entity basis by changing
On Fri, 29 May 2015, Johan Romin wrote:
> Thank you for the input. I have tried path 3 to change the WantAssertionsSigned but
> now the sp isn't able to validate my assertion.
> Path 1 and 2 isn't an option and the service provider will not change their metadata
> as I have already asked about that.
> Is it possible to get the idp to sign the request instead of the sp and as such get
> this to work?
> Hälsningar / Best Regards
> Johan Romin
> Mobil: 070 795 81 28
> E-post: johan.romin at egbs.se
> egbs consulting ab
> Dragarbrunnsgatan 46, SE-753 20 Uppsala
> Office: +46 18 470 15 40 Helpdesk: +46 18 10 16 90
> ----- Ursprungligt meddelande -----
> Från: "Rod Widdowson" <rdw at steadingsoftware.com>
> Skickades av: "users" <users-bounces at shibboleth.net>
> Till: "'Shib Users'" <users at shibboleth.net>
> Ärende: RE: Ang.: Re: Unsoclicited SSO questions
> Datum: fre 29 maj 2015 10:44
> > The service provider metadata SSODescriptior is defined as this:
> <md:SPSSODescriptor AuthnRequestsSigned="true"
> > WantAssertionsSigned="true"
> This is the SP saying "I am the only person who is allowed to solicit SSO,
> you can tell that it's me because I'll sign the requests". They cannot
> tell you this and then say "We will not solicit requests, you have to do
> that". It's like saying "Our only contact will be when I phone you so I'm
> withholding my phone number, but you have to phone me".
> As I see it, technically, you have three solutions:
> 1) Obey the SPs commands and not service them. Probably not a meaningful
> 2) Tell the SP that in order to service their requirements you need a copy
> of their private key so that you can sign the requests. Yes, this is a
> tongue in cheek suggestion, but it is a technical solution to the problem
> (and I fear given the cluefullness displayed by the SP thusfar it might
> 3) Edit the metadata (or better still tell the SP to edit the metadata) to
> remove the 'WantAssertionsSigned="true"'. This will be problematic if the
> metadata is signed, but from what I gather this won't be the case.
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
More information about the users