how to force idp v3 to sign saml assertion
Cantor, Scott
cantor.2 at osu.edu
Sun May 7 12:31:42 EDT 2017
On 5/6/17, 4:27 PM, "users on behalf of Brent Putman" <users-bounces at shibboleth.net on behalf of putmanb at georgetown.edu> wrote:
> Scott may have different take on it. If we take the Profiles language in its literal interpretation, then that's potentially a problem
> for our IdP. But I don't think that's the case.
You're looking at the non-errata'd spec, that language was clarified. No SP requiring signed assertions strictly for SSO is behaving appropriately, but if it needs the signature for some subsequent purpose, that's permissible. There's no way this one is.
Also, the way to turn on assertion signing like this is really in the metadata anyway. Just add WantAssertionSigned="true" to the SP role. You don't need overrides for it.
-- Scott
More information about the users
mailing list