Encrypting NameID's and Signing Logout Messages

Lipscomb, Gary glipscomb at csu.edu.au
Wed May 15 19:31:25 EDT 2019

break my knuckles - yes
nudging people towards specification compliance - yes

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: Thursday, 16 May 2019 09:18
To: Shib Users <users at shibboleth.net>
Subject: Encrypting NameID's and Signing Logout Messages


We have a very surprising amount of testing going on using SLO on SAMLtest.  Most of these SLO requests are not signed and many use a NameID rather than an EncryptedID.  Naturally, they fail.

The reasons for signing and encrypting assertions is obvious, and the same reasons would apply to front-channel SLO requests.  But to some extent, the arguments that apply to not signing front-channel AuthnRequests also apply: there isn't much damage that can be done by forging a LogoutRequest other than being annoying and potentially losing sessions and data in applications.

Not downplaying the significance of that, but looking for interoperability, how many people here would break my knuckles for setting idp.logout.authenticated to false on SAMLtest and relying on TLS?  Given that it's just SAMLtest, I think it would be fine, although I've been trying hard to toe the line between nudging people towards specification compliance and successful deployment.

I'll be under the bed,
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list