Force Shibboleth SP to request both response and assertion signature
Paolo Smiraglia
paolo.smiraglia at gmail.com
Wed Dec 12 14:37:50 EST 2018
On Wed, 12 Dec 2018 at 19:29, Cantor, Scott <cantor.2 at osu.edu> wrote:
> [...]
>
> There's a setting to require signed responses and there's the ability in metadata to ask for signed assertions, there is no setting in the SP explicitly check for it. SSO best practice is to sign the response, there's no reason to sign the assertion (and good reasons not to, it discourages improper use of them).
About settings, are you referring "signing" attribute in
"AttributeConsumingService" [1] and "WantAssertionsSigned" attribute
in "SPSSODescriptor"?
If I'm wrong, can you please send me some refs? Thanks!
[1] https://wiki.shibboleth.net/confluence/display/SP3/AssertionConsumerService
--
PAOLO SMIRAGLIA
More information about the users
mailing list