Force SP to sign SOAP messages
Cantor, Scott
cantor.2 at osu.edu
Mon Jan 6 11:32:03 EST 2020
On 1/6/20, 11:14 AM, "users on behalf of David Sommer" <users-bounces at shibboleth.net on behalf of david97sommer at gmail.com> wrote:
> I used signing="true" in the ApplicationDefaults but the SP still sent
> the message unsigned, so i suspected that this setting gets overridden somewhere.
I believe that works but I would have to dig into the code to follow it through, so short of filing a bug and waiting an unknown number of weeks for answer, that's about all I can say. Assuming you're a non-member anyway.
> The login flow is initiated by a custom SessionInitiator and returns
> back to the SP on a AssertionConsumerService using HTTP-Artifact binding.
There's little chance you need a custom SessionInitiator for that, but that's not too relevant.
> I also tried to add signing="true" to the AssertionConsumerService (in
> shibboleth2.xml), but that gave a parser error, even though
You shouldn't have an AssertionConsumerService, you'd be very unlikely not to break the SP trying to do all that. Adding signing="true" to the <SSO> element would be another possible way to do it, which obviously limits it to SSO and not logout.
Doing it in an ACS element requires a namespace prefix (conf:signing usually) because that element is from SAML's schema and has to be worked around to pass it custom settings.
-- Scott
More information about the users
mailing list