verifying security used by a new SP
Steven Carmody
steven_carmody at brown.edu
Thu Apr 18 15:32:46 EDT 2019
On 4/18/19 2:39 PM, Cantor, Scott wrote:
> On 4/18/19, 1:37 PM, "users on behalf of Steven Carmody" <users-bounces at shibboleth.net on behalf of steven_carmody at brown.edu> wrote:
>
>> our IDP is working with a new SP. I know the SP using simplesamlphp, but
>> I'm not getting any answers from them to my questions about how the SP
>> is configured. I'd like to verify, using the IDP logs, that "reasonable"
>> security is being used.
>
> It is rarely necessary to sign requests, and can be actively harmful in some respects when the total picture is taking into consideration, so I wouldn't judge "reasonable" by whether they're signing. That often is a red flag that they don't understand what they're doing, in fact.
>
What's the current recommended practice, when dealing with an SP that
you don't control or manage ? We'll be releasing a set of attributes to
this SP, and have the usual concerns in that situation.
thanks.
More information about the users
mailing list