Ang: Re: Ang.: RE: Ang.: Re: Unsoclicited SSO questions

Johan Romin johan.romin at
Fri May 29 17:24:45 EDT 2015

-----"users" <users-bounces at> skrev: -----
Till: Shib Users <users at>
Från: "Cantor, Scott" 
Sänt av: "users" 
Datum: 2015-05-29 22:16
Ärende: Re: Ang.: RE: Ang.: Re: Unsoclicited SSO questions

On 5/29/15, 3:52 PM, "users on behalf of Andrew Morgan" <users-bounces at on behalf of morgan at> wrote:

>>Remove AuthnRequestsSigned="true".  Put WantAssertionsSigned="true" back 
>>in the metadata.  I'm pretty sure that's what Rod meant to say.
>Yes. If the SP requires signed assertions, WantAssertionsSigned will ensure the IdP does so, even if it is not doing so (which it doesn't by default >since that's unnecessary).
>The SP also has a bug, because I can bet you a large sum of money they have no reason to be requiring signed assertions.

Alright, I've tried to remove the authnrequestsigned attribute and now the SP isn't able to validate the assertion I've contacted the Service Provider which are a part of IBM and they are using IBM Tivoli Federated Identity Manager as their endpoint. I'm not sure if this helps anyone but I hope it might shed some light onto this.

I've contacted their support team that are working with this setup and I hope they might be able to help me with more on this.

>>You can also override the metadata settings (at least, I think it 
>>overrides what is in metadata) on a per-entity basis by changing 
>You can explicitly enable assertion signing, certainly, whether the metadata flag is on or not.
>>>Thank you for the input. I have tried path 3 to change the WantAssertionsSigned but
>>> now the sp isn't able to validate my assertion.
>>> Path 1 and 2 isn't an option and the service provider will not change their metadata
>>> as I have already asked about that.
>Unless the SP is signing their metadata with a trusted key and you're loading it other than by hand from a local file, it makes no difference what >their metadata is, it's under your control, not theirs.
>-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list