AuthnRequests must be signed, but inbound message was not signed for IDP initiated SSO

Abhishek Chouksey abhishekchouksey10 at
Thu Dec 3 14:12:37 UTC 2020


*I am new to shibboleth and working on configuring our IdP  with
FortiPortal. We want to use*

*IdP initiated SSO, and we also use IdP initiated SSO for some other
vendors and those working fine*

*My question is related to use of **AuthnRequestsSigned="true" **in
the FortiPortal SP metadata. In their metadata *AuthnRequestsSigned
attribute is* set it to true,*

* as they would like it set, then I get this error on the*

- SPSSODescriptor for entity ID '-----' indicates AuthnRequests must
be signed, but inbound message was not signed

16:44:54.524 - WARN
- Message did not meet security requirements Inbound AuthnRequest
was required to be signed but was not* Is there a way to configure IdP
initiated SSO for AuthnRequestsSigned="true"
** without breaking our other IdP initiated SSO implementations? what
changes can we do in relying party to resolve this issue?*

*These config are present in my relying-party.xml:*

  <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"

<security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy"
        <security:Rule xsi:type="samlsec:Replay"/>
        <security:Rule xsi:type="samlsec:IssueInstant"/>
        <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature"
        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign"
        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign"
        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>

Is there any changes can be done in these so it works fine and I want
to add one more point if I comment

 <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>

this line then it does not show error in log but I get redirect to
fortiportal errorSamlSSO page

Can anyone please suggest me the way what changes can be done at IDP
side so that AuthRequest get signed.

*Thanks and Regards,*

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list