IDP signs the SAML Assertion

Lohr, Donald lohrda at jmu.edu
Wed Jun 10 03:40:44 UTC 2020 

The metadata is part of the InCommon aggregate. I found this on the SP's 
website:

/Q: I realize that Foundry requires the Assertion of SAML Responses to 
be signed by the identity provider. But in the InCommon service provider 
for my organization, in //*SPSSODescriptor*//, you do not have the 
attribute //|WantAssertionsSigned="true"|//. Will you please add this 
attribute?/
////
/A: It appears that InCommon does not currently support this metadata 
attribute. Therefore, you will need to ensure that your identity 
provider signs the assertions for the Foundry service provider./

In my relying-party.xml file for this SP I currently have:

p:encryptAssertions="false" p:signAssertions="false" p:signResponses="true"

Don

On 6/9/20 4:54 PM, Mak, Steve wrote:
>
> It should take you 1-2 files to be able to determine if you are 
> signing assertions: relying-party.xml and the sp-metadata.xml file for 
> their SP.
>
> relying-party.xml is where you globally or specifically 
> allow/deny/force signing.
>
> sp-metadata.xml file is where an SP can choose to request a signed 
> assertion if allowed and the IdP doesn't force it.
>
> *From: *users <users-bounces at shibboleth.net> on behalf of "Lohr, 
> Donald" <lohrda at jmu.edu>
> *Reply-To: *Shib Users <users at shibboleth.net>
> *Date: *Tuesday, June 9, 2020 at 16:05
> *To: *"users at shibboleth.net" <users at shibboleth.net>
> *Subject: *IDP signs the SAML Assertion
>
> I've a SP vendor asking:
>
> /Are you able to go in to your identity provider, go to the service 
> provider configuration, and ensure that the IDP signs the SAML Assertion?
> /
> How can I actually prove this or not prove it?
>
> Don
>
> -- 
> D o n a l d   L o h r
> I n f o r m a t i o n   S y s t e m s
> J a m e s   M a d i s o n   U n i v e r s i t y
> 5 4 0 . 5 6 8 . 3 7 3 0
>

-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200609/0fdf7f45/attachment.htm>

More information about the users mailing list