Support for X509SubjectName Name ID
cantor.2 at osu.edu
Fri May 15 15:38:37 UTC 2020
On 5/15/20, 11:20 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> Signing is the default - not following you.
You said "they worked with signing false and *also* with the defaults". I'm saying, yes, of course they did. If they worked with no signing, they certainly aren't going to notice the signing. The problem is what Steve just reinforced.
Either the response or the assertion MUST be signed. Signing neither MUST result in an SP failure. A successful outcome is a wide open security breach of that service.
But just setting both those properties to false doesn't absolutely imply no signing. WantAssertionsSigned="true" in SP metadata could be toggling one of them back on under the covers and obviating the apparent bug. But it gives you the set to triage immediately and verify whether that might be the case.
More information about the users