verifying security used by a new SP

Brent Putman putmanb at
Thu Apr 18 14:34:10 EDT 2019

On 4/18/19 1:37 PM, Steven Carmody wrote:
> I take that to mean that the authN Request was signed, and that the
> IDP is not relying on the SP creating the TLS tunnel using the SPs
> private key -- am I right about that ?

Yes, there is a Redirect binding signature, and the logs indicated it
validated successfully. 

This is a front-channel binding request, so there of course isn't any
direct TLS channel between the SP and the IdP, b/c the browser is
sitting in the middle of the exchange.  So this can't be SP doing
clientTLS to the IdP, etc.

> Here's the actual request sent by the SP:

The SigAlg and Signature query params there indicate it is signed via
the Redirect binding, with RSA-SHA256.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list