Encryption works against samltest.id but not local Shibboleth IdP

Peter Schober peter.schober at univie.ac.at
Thu Jul 30 14:27:04 UTC 2020

* Raymond DeCampo <ray at decampo.org> [2020-07-30 15:46]:
> I am new to SAML and I would like to understand why you say no-one
> should use the sample IdP metadata from Shibboleth?

Well, it's unsigned and even if it were signed it doesn't have a
useful validUntil value and even if it did have one there's no process
included out of the box to regularly push that date a few days/weeks
into the future.

As it is it's a plain text file with cryptographic keys in it.
Are you suggesting that it's a wise practice to blindly trust
cryptographic material downloaded automatically over thet network --
as these keys are later used to verify protocol messages?
Are you doing that in other contexts, e.g. automatically downloading
(and trusting, without human intervention) a list of CA certificates?
That's what pointing some SAML implementation to your IDP's metadata
endpoint comes down to. Anyone able to subvert TLS to that endpoint
would be able to introduce different key material which could
ultimately be used to "verify" fraudulent protocol messages (i.e.,
essentially impersonate anyone at your IDP).


More information about the users mailing list