Ang.: RE: Ang.: Re: Unsoclicited SSO questions

Fri May 29 15:52:57 EDT 2015

Remove AuthnRequestsSigned="true".  Put WantAssertionsSigned="true" back 
in the metadata.  I'm pretty sure that's what Rod meant to say.

You can also override the metadata settings (at least, I think it 
overrides what is in metadata) on a per-entity basis by changing 
relying-party.xml.

 	Andy

On Fri, 29 May 2015, Johan Romin wrote:

> Thank you for the input. I have tried path 3 to change the WantAssertionsSigned but
> now the sp isn't able to validate my assertion.
> Path 1 and 2 isn't an option and the service provider will not change their metadata
> as I have already asked about that.
> Is it possible to get the idp to sign the request instead of the sp and as such get
> this to work?
>  
> Hälsningar / Best Regards
> ---------------------------------------------------------------
> Johan Romin
> 
> Mobil: 070 795 81 28
> E-post: johan.romin at egbs.se
> 
> egbs consulting ab
> Dragarbrunnsgatan 46, SE-753 20 Uppsala
> Office: +46 18 470 15 40 Helpdesk: +46 18 10 16 90
> www.egbs.se  
>  
>       ----- Ursprungligt meddelande -----
>       Från: "Rod Widdowson" <rdw at steadingsoftware.com>
>       Skickades av: "users" <users-bounces at shibboleth.net>
>       Till: "'Shib Users'" <users at shibboleth.net>
>       Kopia:
>       Ärende: RE: Ang.: Re: Unsoclicited SSO questions
>       Datum: fre 29 maj 2015 10:44
>         > The service provider metadata SSODescriptior is defined as this:
>        <md:SPSSODescriptor AuthnRequestsSigned="true"
>       > WantAssertionsSigned="true"
>       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
>       This is the SP saying "I am the only person who is allowed to solicit SSO,
>       you can tell that it's me because I'll sign the requests".  They cannot
>       tell you this and then say "We will not solicit requests, you have to do
>       that".  It's like saying "Our only contact will be when I phone you so I'm
>       withholding my phone number, but you have to phone me".
>
>       As I see it, technically, you have three solutions:
>
>       1) Obey the SPs commands and not service them.  Probably not a meaningful
>       solution.
>
>       2) Tell the SP that in order to service their requirements you need a copy
>       of their private key so that you can sign the requests.  Yes, this is a
>       tongue in cheek suggestion, but it is a technical solution to the problem
>       (and I fear given the cluefullness displayed by the SP thusfar it might
>       succeed).
>
>       3) Edit the metadata (or better still tell the SP to edit the metadata) to
>       remove the 'WantAssertionsSigned="true"'.  This will be problematic if the
>       metadata is signed, but from what I gather this won't be the case.
>
>       HTH
>
>       /R
>
>       --
>       To unsubscribe from this list send an email to
>       users-unsubscribe at shibboleth.net
>        
> 
> 
>