IDP sending empty SignatureValue in ArtifactResponse

Cantor, Scott cantor.2 at
Tue Sep 17 10:12:06 EDT 2019

On 9/17/19, 9:54 AM, "users on behalf of Malo Toudic" <users-bounces at on behalf of malo.toudic at> wrote:

> You will find the logs attached. I have anonymized the logs (URL and  certificates only).

It's the ArtifactResponse that would normally be signed (if anything were signed), and it's the Response inside it that's broken.
The assertion here is also being signed, so this is a very strange "desired" result to begin with. I suspect there's a signing setting interaction with the three different layers that's getting things mixed up. It has to be something in a relying party override affecting the response signing settings to be specific to one SP.

You'd need to file a bug with a fairly complete config example and a good log trace. If you want to keep it confidential you can set the Security Level to vulnerability (not that it is one, but it would limit the visibility of the issue).

-- Scott

More information about the users mailing list