Encrypting NameID's and Signing Logout Messages

Liam Hoekenga liamr at umich.edu
Wed May 15 19:33:22 EDT 2019

On Wed, May 15, 2019 at 6:18 PM Nate Klingenstein <ndk at signet.id> wrote:

> All,
> We have a very surprising amount of testing going on using SLO on
> SAMLtest.  Most of these SLO requests are not signed and many use a NameID
> rather than an EncryptedID.  Naturally, they fail.
> The reasons for signing and encrypting assertions is obvious, and the same
> reasons would apply to front-channel SLO requests.  But to some extent, the
> arguments that apply to not signing front-channel AuthnRequests also apply:
> there isn't much damage that can be done by forging a LogoutRequest other
> than being annoying and potentially losing sessions and data in
> applications.
> Not downplaying the significance of that, but looking for
> interoperability, how many people here would break my knuckles for setting
> idp.logout.authenticated to false on SAMLtest and relying on TLS?  Given
> that it's just SAMLtest, I think it would be fine, although I've been
> trying hard to toe the line between nudging people towards specification
> compliance and successful deployment.
> I'll be under the bed,
> Nate.
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/c1de1291/attachment.html>

More information about the users mailing list