verifying security used by a new SP
Steven Carmody
steven_carmody at brown.edu
Thu Apr 18 13:37:28 EDT 2019
Hi,
our IDP is working with a new SP. I know the SP using simplesamlphp, but
I'm not getting any answers from them to my questions about how the SP
is configured. I'd like to verify, using the IDP logs, that "reasonable"
security is being used.
I see these lines in the IDP log:
2019-01-23 14:39:05,922 - DEBUG
[org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:271]
- Message Handler: Simple signature validation (with no request-derived
credentials) was successful - [nprce7uwx22s10f3g07vn3z5e] - [10.55.241.129]
2019-01-23 14:39:05,922 - DEBUG
[org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:203]
- Message Handler: Validation of request simple signature succeeded -
[nprce7uwx22s10f3g07vn3z5e] - [10.55.241.129]
2019-01-23 14:39:05,922 - DEBUG
[org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:205]
- Message Handler: Authentication via request simple signature
succeeded for context issuer entity ID
https://academics.webservices.site/simplesaml/module.php/saml/sp/metadata.php/default-sp
- [nprce7uwx22s10f3g07vn3z5e] - [10.55.241.129]
I take that to mean that the authN Request was signed, and that the IDP
is not relying on the SP creating the TLS tunnel using the SPs private
key -- am I right about that ?
Here's the actual request sent by the SP:
GET
https://sso.brown.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZJbj9owEIX%2FSuT3xEkINwuQ2KLVItGCCO1DXyrHHoqlxE49k6b9981lV0v7QJ8sz8w5%2BubYK5RVWYttQzd7hh8NIAW%2FqtKiGBpr1ngrnESDwsoKUJAS%2BfbjQaRRLGrvyClXsjvJY4VEBE%2FGWRbsd2v2bTKbZrHUEuYaklkySWGmC1UkOtbFYl7IJFXL6VTJYsqCL%2BCxU65ZZ9TJERvYWyRpqSvFyTKMszBeXtJYJAuRpV9ZsOu2MVbSoLoR1Sg4R3RR4V1rI9ANN7rm3RpXUwLvKVN%2BBm08KOJ5fmTB9g34g7PYVOBz8D%2BNgs%2Fnw7tl27ZRCwWOLYzQEIgsm3A0VV1CHwuvnG5KiOpbzYc7jmcaSoVDVcNVNiWFWLPg9Brsk7Ha2O%2BPMy3GIRQvl8spPB3zC9usem8xZOQ3jzD%2Fg1gBda9D8h%2FCFb%2F3X41%2F6FNHtt%2BdXGnU7%2BDZ%2BUrSY%2FC%2BYnR4HUYFeWnRgCXGN6P%2F399y8wc%3D&RelayState=https%3A%2F%2Fwww.webservices.site%2Fsaml_login&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=G0CAF7T7pulhCstpVpNkSNpu9oTo6zsMwf89LnxntEsUGfN8RbJzKIvpoW5CVU%2F4oamUvz1T0TzBCsFf1iA3l5rs3m%2B%2BtFTSbUEbxK9SaO5yBCrcXDbAFZTvPqSQcJOcWsEGz5zb81dJQI7qJBYNw17jhsHvJfFq8xLhM06vlkEXtGHzZZ85X%2FaaSV6fkc36eTq9wnwCfEtEuPiJri%2FMwdAtvJjX6HEWPmFzvKWVQjyaXAQOMi3hXxy%2FNdm%2BfUN8iZbTtx0Ktzze8tTI7104aqYCmZnLGjKBjrqORq5ssiQUN47MdiQRwmzrgTT8lKsop8J3eUIFqy%2BaX6FcvQ2iWw%3D%3D
thanks !
More information about the users
mailing list