Ang.: RE: Ang.: Re: Unsoclicited SSO questions

[Cantor, Scott]

On 5/29/15, 3:52 PM, "users on behalf of Andrew Morgan" <users-bounces at shibboleth.net on behalf of morgan at orst.edu> wrote:

>Remove AuthnRequestsSigned="true".  Put WantAssertionsSigned="true" back 
>in the metadata.  I'm pretty sure that's what Rod meant to say.

Yes. If the SP requires signed assertions, WantAssertionsSigned will ensure the IdP does so, even if it is not doing so (which it doesn't by default since that's unnecessary).

The SP also has a bug, because I can bet you a large sum of money they have no reason to be requiring signed assertions.

>You can also override the metadata settings (at least, I think it 
>overrides what is in metadata) on a per-entity basis by changing 
>relying-party.xml.

You can explicitly enable assertion signing, certainly, whether the metadata flag is on or not.

>>Thank you for the input. I have tried path 3 to change the WantAssertionsSigned but
>> now the sp isn't able to validate my assertion.
>> Path 1 and 2 isn't an option and the service provider will not change their metadata
>> as I have already asked about that.

Unless the SP is signing their metadata with a trusted key and you're loading it other than by hand from a local file, it makes no difference what their metadata is, it's under your control, not theirs.

-- Scott