verifying security used by a new SP

Cantor, Scott cantor.2 at
Thu Apr 18 14:39:44 EDT 2019

On 4/18/19, 1:37 PM, "users on behalf of Steven Carmody" <users-bounces at on behalf of steven_carmody at> wrote:

> our IDP is working with a new SP. I know the SP using simplesamlphp, but 
> I'm not getting any answers from them to my questions about how the SP 
> is configured. I'd like to verify, using the IDP logs, that "reasonable" 
> security is being used.

It is rarely necessary to sign requests, and can be actively harmful in some respects when the total picture is taking into consideration, so I wouldn't judge "reasonable" by whether they're signing. That often is a red flag that they don't understand what they're doing, in fact.

-- Scott

More information about the users mailing list