Is skipEndpointValidationWhenSigned still an issue?

Brent Putman putmanb at
Wed May 25 12:30:32 EDT 2016

On 5/25/16 12:12 PM, Cantor, Scott wrote:
> That's signed XML. The bug didn't apply to that case, it was breaking on signed redirects.

I noticed that the AuthnRequest has both AssertionConsumerServiceIndex
and AssertionConsumerServiceURL, BUT no ProtocolBinding.  Because of
the absence of the binding, perhaps the URL can't be effectively
evaluated? And if there's no metadata corresponding for that index then
it wouldn't work either?  Just speculating.

At the very least that request seems malformed, since per Core index is
mutually exclusive with URL + binding.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list