Ang: Re: Ang.: RE: Ang.: Re: Unsoclicited SSO questions

Johan Romin johan.romin at egbs.se
Fri May 29 17:24:45 EDT 2015 

-----"users" <users-bounces at shibboleth.net> skrev: -----
Till: Shib Users <users at shibboleth.net>
Från: "Cantor, Scott" 
Sänt av: "users" 
Datum: 2015-05-29 22:16
Ärende: Re: Ang.: RE: Ang.: Re: Unsoclicited SSO questions

On 5/29/15, 3:52 PM, "users on behalf of Andrew Morgan" <users-bounces at shibboleth.net on behalf of morgan at orst.edu> wrote:

>>Remove AuthnRequestsSigned="true".  Put WantAssertionsSigned="true" back 
>>in the metadata.  I'm pretty sure that's what Rod meant to say.
>
>Yes. If the SP requires signed assertions, WantAssertionsSigned will ensure the IdP does so, even if it is not doing so (which it doesn't by default >since that's unnecessary).
>
>The SP also has a bug, because I can bet you a large sum of money they have no reason to be requiring signed assertions.

Alright, I've tried to remove the authnrequestsigned attribute and now the SP isn't able to validate the assertion I've contacted the Service Provider which are a part of IBM and they are using IBM Tivoli Federated Identity Manager as their endpoint. I'm not sure if this helps anyone but I hope it might shed some light onto this.

I've contacted their support team that are working with this setup and I hope they might be able to help me with more on this.

>>You can also override the metadata settings (at least, I think it 
>>overrides what is in metadata) on a per-entity basis by changing 
>>relying-party.xml.
>
>You can explicitly enable assertion signing, certainly, whether the metadata flag is on or not.
>
>>>Thank you for the input. I have tried path 3 to change the WantAssertionsSigned but
>>> now the sp isn't able to validate my assertion.
>>> Path 1 and 2 isn't an option and the service provider will not change their metadata
>>> as I have already asked about that.
>
>Unless the SP is signing their metadata with a trusted key and you're loading it other than by hand from a local file, it makes no difference what >their metadata is, it's under your control, not theirs.
>
>
>-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list