Force Shibboleth SP to request both response and assertion signature

Paolo Smiraglia paolo.smiraglia at
Wed Dec 12 14:37:50 EST 2018

On Wed, 12 Dec 2018 at 19:29, Cantor, Scott <cantor.2 at> wrote:
> [...]
> There's a setting to require signed responses and there's the ability in metadata to ask for signed assertions, there is no setting in the SP explicitly check for it. SSO best practice is to sign the response, there's no reason to sign the assertion (and good reasons not to, it discourages improper use of them).

About settings, are you referring "signing" attribute in
"AttributeConsumingService" [1] and "WantAssertionsSigned" attribute
in "SPSSODescriptor"?

If I'm wrong, can you please send me some refs? Thanks!



More information about the users mailing list