IDP signs the SAML Assertion
Paul Caskey
pcaskey at internet2.edu
Tue Jun 9 20:51:01 UTC 2020
Likely a minor point in this case, but service providers should be looking for signed responses rather than signed assertions, according to the Kantara SAML 2.0 federation interoperability specification [1].
See requirement IIP-SP13:
“Service Providers MUST support the ability to reject unsigned <samlp:Response> elements and SHOULD do so by default.”
[1] https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html
From: users <users-bounces at shibboleth.net> on behalf of "Lohr, Donald" <lohrda at jmu.edu>
Reply-To: Shib Users <users at shibboleth.net>
Date: Tuesday, June 9, 2020 at 3:05 PM
To: Shib Users <users at shibboleth.net>
Subject: IDP signs the SAML Assertion
I've a SP vendor asking:
Are you able to go in to your identity provider, go to the service provider configuration, and ensure that the IDP signs the SAML Assertion?
How can I actually prove this or not prove it?
Don
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200609/2a7ed02c/attachment.htm>
More information about the users
mailing list