Support for X509SubjectName Name ID
Mak, Steve
makst at upenn.edu
Fri May 15 15:27:19 UTC 2020
He's saying you have a LOT to worry about if the other side of the SAML relationship is accepting unsigned SAML responses. If you choose to integrate with an SP that accepts unsigned SAML responses you're risking major account impersonation among a number of other security risks.
If I found out an SP was accepting unsigned I would immediately pull that SP metadata out of my IDP.
From: users <users-bounces at shibboleth.net> on behalf of "Ullfig, Roberto Alfredo" <rullfig at uic.edu>
Reply-To: Shib Users <users at shibboleth.net>
Date: Friday, May 15, 2020 at 11:20
To: Shib Users <users at shibboleth.net>
Subject: Re: Support for X509SubjectName Name ID
Signing is the default - not following you.
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Friday, May 15, 2020 9:59 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Support for X509SubjectName Name ID
On 5/15/20, 10:21 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> OK fixed that, there were a handful - the settings must have been set false while testing a new SP implementation then
> propagated to a few others. All applications work with default settings now.
It's much more serious. It's not whether they work with defaults, it's whether they work with no signing. That is a total security break. And yes, lots of those exist. More common is the "accept any signing key" bug, but this exists too.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200515/2539a953/attachment.htm>
More information about the users
mailing list