vhosts with SP, single entity id

Peter Schober peter.schober at univie.ac.at
Mon Mar 5 11:17:32 EST 2018

* William Eubank <william.eubank at uah.edu> [2018-03-05 16:55]:
> So I changed my SP to signing="true" and restarted shibd.  Still no luck.
>     <ApplicationDefaults entityID="https://host.ds.uah.edu/shibboleth"
>                          REMOTE_USER="eppn persistent-id targeted-id"
> signing="true">
> Or am I missing a step to get signing authn requests in play?

Sorry, "Still no luck" is not a technical error message.
Are the requests now signed (just look at them in the browser,
e.g. using Olav's SAMLtracer for Firefox) or not?

If they are sigend, then this alone won't accomplish anything, you'd
still have to change the skipEndpointValidationWhenSigned option in
your IDP to make the signed request change anything.

But first I'd get our IDP to work with the existing system w/o
signing, since adding a line with an ACS for the vhost /is/ everything
that's needed and should work.
Only after that I'd look into the SP signing and IDP config change.


More information about the users mailing list