verifying security used by a new SP

Steven Carmody steven_carmody at
Thu Apr 18 15:32:46 EDT 2019

On 4/18/19 2:39 PM, Cantor, Scott wrote:
> On 4/18/19, 1:37 PM, "users on behalf of Steven Carmody" <users-bounces at on behalf of steven_carmody at> wrote:
>> our IDP is working with a new SP. I know the SP using simplesamlphp, but
>> I'm not getting any answers from them to my questions about how the SP
>> is configured. I'd like to verify, using the IDP logs, that "reasonable"
>> security is being used.
> It is rarely necessary to sign requests, and can be actively harmful in some respects when the total picture is taking into consideration, so I wouldn't judge "reasonable" by whether they're signing. That often is a red flag that they don't understand what they're doing, in fact.

What's the current recommended practice, when dealing with an SP that 
you don't control or manage ? We'll be releasing a set of attributes to 
this SP, and have the usual concerns in that situation.


More information about the users mailing list