verifying security used by a new SP
putmanb at georgetown.edu
Thu Apr 18 14:34:10 EDT 2019
On 4/18/19 1:37 PM, Steven Carmody wrote:
> I take that to mean that the authN Request was signed, and that the
> IDP is not relying on the SP creating the TLS tunnel using the SPs
> private key -- am I right about that ?
Yes, there is a Redirect binding signature, and the logs indicated it
This is a front-channel binding request, so there of course isn't any
direct TLS channel between the SP and the IdP, b/c the browser is
sitting in the middle of the exchange. So this can't be SP doing
clientTLS to the IdP, etc.
> Here's the actual request sent by the SP:
The SigAlg and Signature query params there indicate it is signed via
the Redirect binding, with RSA-SHA256.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users