verifying security used by a new SP

Steven Carmody steven_carmody at brown.edu
Thu Apr 18 13:37:28 EDT 2019


Hi,

our IDP is working with a new SP. I know the SP using simplesamlphp, but 
I'm not getting any answers from them to my questions about how the SP 
is configured. I'd like to verify, using the IDP logs, that "reasonable" 
security is being used.

I see these lines in the IDP log:

2019-01-23 14:39:05,922 - DEBUG 
[org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:271] 
- Message Handler:  Simple signature validation (with no request-derived 
credentials) was successful - [nprce7uwx22s10f3g07vn3z5e] - [10.55.241.129]

2019-01-23 14:39:05,922 - DEBUG 
[org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:203] 
- Message Handler:  Validation of request simple signature succeeded - 
[nprce7uwx22s10f3g07vn3z5e] - [10.55.241.129]

2019-01-23 14:39:05,922 - DEBUG 
[org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler:205] 
- Message Handler:  Authentication via request simple signature 
succeeded for context issuer entity ID 
https://academics.webservices.site/simplesaml/module.php/saml/sp/metadata.php/default-sp 
- [nprce7uwx22s10f3g07vn3z5e] - [10.55.241.129]

I take that to mean that the authN Request was signed, and that the IDP 
is not relying on the SP creating the TLS tunnel using the SPs private 
key -- am I right about that ?

Here's the actual request sent by the SP:

GET 
https://sso.brown.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZJbj9owEIX%2FSuT3xEkINwuQ2KLVItGCCO1DXyrHHoqlxE49k6b9981lV0v7QJ8sz8w5%2BubYK5RVWYttQzd7hh8NIAW%2FqtKiGBpr1ngrnESDwsoKUJAS%2BfbjQaRRLGrvyClXsjvJY4VEBE%2FGWRbsd2v2bTKbZrHUEuYaklkySWGmC1UkOtbFYl7IJFXL6VTJYsqCL%2BCxU65ZZ9TJERvYWyRpqSvFyTKMszBeXtJYJAuRpV9ZsOu2MVbSoLoR1Sg4R3RR4V1rI9ANN7rm3RpXUwLvKVN%2BBm08KOJ5fmTB9g34g7PYVOBz8D%2BNgs%2Fnw7tl27ZRCwWOLYzQEIgsm3A0VV1CHwuvnG5KiOpbzYc7jmcaSoVDVcNVNiWFWLPg9Brsk7Ha2O%2BPMy3GIRQvl8spPB3zC9usem8xZOQ3jzD%2Fg1gBda9D8h%2FCFb%2F3X41%2F6FNHtt%2BdXGnU7%2BDZ%2BUrSY%2FC%2BYnR4HUYFeWnRgCXGN6P%2F399y8wc%3D&RelayState=https%3A%2F%2Fwww.webservices.site%2Fsaml_login&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=G0CAF7T7pulhCstpVpNkSNpu9oTo6zsMwf89LnxntEsUGfN8RbJzKIvpoW5CVU%2F4oamUvz1T0TzBCsFf1iA3l5rs3m%2B%2BtFTSbUEbxK9SaO5yBCrcXDbAFZTvPqSQcJOcWsEGz5zb81dJQI7qJBYNw17jhsHvJfFq8xLhM06vlkEXtGHzZZ85X%2FaaSV6fkc36eTq9wnwCfEtEuPiJri%2FMwdAtvJjX6HEWPmFzvKWVQjyaXAQOMi3hXxy%2FNdm%2BfUN8iZbTtx0Ktzze8tTI7104aqYCmZnLGjKBjrqORq5ssiQUN47MdiQRwmzrgTT8lKsop8J3eUIFqy%2BaX6FcvQ2iWw%3D%3D

thanks !


More information about the users mailing list