Force Shibboleth SP to request both response and assertion signature

John Dennis jdennis at
Wed Dec 12 14:06:06 EST 2018

On 12/12/18 1:29 PM, Cantor, Scott wrote:
> SSO best practice is to sign the response, there's no reason to sign
> the assertion (and good reasons not to, it discourages improper use
> of them).

Timely. I just fixed a bug where the IdP signed the Assertion instead of 
the Response and our library didn't handle the signed Assertion.

I'm curious as to why you say signing the Assertion is not a good idea 
and how it leads to improper use. Could you elaborate please?

Since I know of at least one implementation that signs the Assertion 
instead of Response if that's bad practice then I'll advocate to see it 

John Dennis

More information about the users mailing list