Force Shibboleth SP to request both response and assertion signature

Paolo Smiraglia paolo.smiraglia at gmail.com
Wed Dec 12 14:37:50 EST 2018


On Wed, 12 Dec 2018 at 19:29, Cantor, Scott <cantor.2 at osu.edu> wrote:
> [...]
>
> There's a setting to require signed responses and there's the ability in metadata to ask for signed assertions, there is no setting in the SP explicitly check for it. SSO best practice is to sign the response, there's no reason to sign the assertion (and good reasons not to, it discourages improper use of them).

About settings, are you referring "signing" attribute in
"AttributeConsumingService" [1] and "WantAssertionsSigned" attribute
in "SPSSODescriptor"?

If I'm wrong, can you please send me some refs? Thanks!

[1] https://wiki.shibboleth.net/confluence/display/SP3/AssertionConsumerService

-- 
PAOLO SMIRAGLIA


More information about the users mailing list