IDP sending empty SignatureValue in ArtifactResponse
Cantor, Scott
cantor.2 at osu.edu
Tue Sep 17 10:12:06 EDT 2019
On 9/17/19, 9:54 AM, "users on behalf of Malo Toudic" <users-bounces at shibboleth.net on behalf of malo.toudic at kereval.com> wrote:
> You will find the logs attached. I have anonymized the logs (URL and certificates only).
It's the ArtifactResponse that would normally be signed (if anything were signed), and it's the Response inside it that's broken.
The assertion here is also being signed, so this is a very strange "desired" result to begin with. I suspect there's a signing setting interaction with the three different layers that's getting things mixed up. It has to be something in a relying party override affecting the response signing settings to be specific to one SP.
You'd need to file a bug with a fairly complete config example and a good log trace. If you want to keep it confidential you can set the Security Level to vulnerability (not that it is one, but it would limit the visibility of the issue).
-- Scott
More information about the users
mailing list