Force Shibboleth SP to request both response and assertion signature
John Dennis
jdennis at redhat.com
Wed Dec 12 14:06:06 EST 2018
On 12/12/18 1:29 PM, Cantor, Scott wrote:
> SSO best practice is to sign the response, there's no reason to sign
> the assertion (and good reasons not to, it discourages improper use
> of them).
Timely. I just fixed a bug where the IdP signed the Assertion instead of
the Response and our library didn't handle the signed Assertion.
I'm curious as to why you say signing the Assertion is not a good idea
and how it leads to improper use. Could you elaborate please?
Since I know of at least one implementation that signs the Assertion
instead of Response if that's bad practice then I'll advocate to see it
changed.
--
John Dennis
More information about the users
mailing list