Force Shibboleth SP to request both response and assertion signature

Cantor, Scott cantor.2 at
Wed Dec 12 13:29:03 EST 2018

On 12/12/18, 1:21 PM, "users on behalf of Paolo Smiraglia" <users-bounces at on behalf of paolo.smiraglia at> wrote:

> I need to configure my Shibboleth SP (3.x) in order to mandatory
> require both the assertion and the response (nested) signatures. Any
> seggestion?

There's a setting to require signed responses and there's the ability in metadata to ask for signed assertions, there is no setting in the SP explicitly check for it. SSO best practice is to sign the response, there's no reason to sign the assertion (and good reasons not to, it discourages improper use of them).

-- Scott

More information about the users mailing list