Force Shibboleth SP to request both response and assertion signature

[Cantor, Scott]

On 12/12/18, 2:06 PM, "John Dennis" <jdennis at redhat.com> wrote:

> I'm curious as to why you say signing the Assertion is not a good idea 
> and how it leads to improper use. Could you elaborate please?

Signing a SSO assertion (a bearer token with inherent constraints on their usage for a single relying party) is only relevant for assertions that are carrying appropriate delegation semantics that would allow them to be used for some other purpose without violating the standard.

In practice, most people doing anything with an SSO assertion that would necessitate signing them are throwing assertions around blindly without any regard for the standard and subject to the rigorous security rule "dunno, it's signed, we checked the signature, don't care about anything else". An unsigned assertion causes some (probably not even a majority) of those scenarios to fail.

> Since I know of at least one implementation that signs the Assertion 
> instead of Response if that's bad practice then I'll advocate to see it 
> changed.

It's not bad practice, signing both for no reason is the only practice that's arguably bad, simply because it's twice the work (and you're forcing the SP to do twice the work too). But there have been vulnerability mitigations in the past with encryption that are harder to exploit if you encrypt then sign, and that requires signing the response. It's the accepted "better choice" to sign that layer if you're only signing one of them and limiting unnecessary options improves interoperability.

-- Scott