unsolicited SSO question regarding AuthnRequestsSigned="true"

Cantor, Scott cantor.2 at osu.edu
Tue Oct 22 12:02:36 EDT 2019

On 10/22/19, 11:46 AM, "users on behalf of Les LaCroix" <users-bounces at shibboleth.net on behalf of llacroix at carleton.edu> wrote:

> Since there isn't any interaction with the SP, does that mean that AuthnRequestsSigned="true" in SP metadata and 
> unsolicited SSO are mutually exclusive? 


> Is there any place I can point the vendor to that says AuthnRequestsSigned must be "false" for unsolicited SSO so they
> will fix their metadata?

Not if common sense isn't sufficient.

> On the other hand, there isn't any explicit authnRequest being sent.

There is always an explicit request. Failure to enforce the flag would mean the flag meant nothing since any attacker would simply bypass the normal flow and issue an unsigned redirect to get around the policy the flag is trying to impose.

> I can change my local copy of the metadata to say AuthnRequestsSigned="false", and that's what I'm doing while I try
> to convince them to change it at the source.  It's a problem lying in wait if we ever have to update their metadata,
> though.

If the metadata is unsigned, or doesn't have a proper sliding validity window, or isn't being resigned frequently, then it is inherently a problem to rely on it since it breaks the security model of the system, so the problem is largely moot in practice.
-- Scott

More information about the users mailing list