unsolicited SSO question regarding AuthnRequestsSigned="true"

Les LaCroix llacroix at carleton.edu
Tue Oct 22 11:45:55 EDT 2019


I have a vendor that requires unsolicited SSO.  Their metadata says
'AuthnRequestsSigned="true"'.  When I go to the unsolicited SSO link


I get the error " SPSSODescriptor for entity ID ... indicates AuthnRequests
must be signed, but inbound message was not signed".  I am watching my
browser traffic and it's only interacting with the IdP.  The error is
happening before the IdP sends any SAML back, and there is no explicit
authnRequest SAML being sent.  Also, I am doing this in an incognito
window, and it's happening before I go through a login flow.

Since there isn't any interaction with the SP, does that mean
that AuthnRequestsSigned="true" in SP metadata and unsolicited SSO are
mutually exclusive?   I can imagine that the IdP is, in effect, responding
to an implicit authN request made on behalf of the SP.  There is clearly no
way an (implicit) request could be signed with the SP's (private) signing
key.  Most of the conversations on this topic in the list archive
essentially end up with "tell the vendor to fix their metadata."  Is there
any place I can point the vendor to that says AuthnRequestsSigned must be
"false" for unsolicited SSO so they will fix their metadata?

On the other hand, there isn't any explicit authnRequest being sent.  In
that case I kind of feel like the IdP should ignore the SP's
AuthnRequestsSigned, and the metadata isn't wrong, per se.  It puts me in a
much weaker position to ask them to change it.  Also, if they ever
implemented SP-initiated SSO, AuthnRequestsSigned="true" seems like it
might be a good idea.

Is this a problem with the vendor's metadata?  A problem with the IdP?  Or
just a problem with my understanding of SAML?  :-)   I can change my local
copy of the metadata to say AuthnRequestsSigned="false", and that's what
I'm doing while I try to convince them to change it at the source.  It's a
problem lying in wait if we ever have to update their metadata, though.

Thanks in advance, -Les

p.s. I am seeing this with IdP 3.4.3, in case that matters.

Les LaCroix '79 | Strategic Technologist
Carleton College | 1 N. College St. | MS 3-ITS | Northfield, MN 55057
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191022/b91a76ac/attachment.html>

More information about the users mailing list