Support for X509SubjectName Name ID

Cantor, Scott cantor.2 at
Fri May 15 15:38:37 UTC 2020

On 5/15/20, 11:20 AM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

> Signing is the default - not following you.

You said "they worked with signing false and *also* with the defaults". I'm saying, yes, of course they did. If they worked with no signing, they certainly aren't going to notice the signing. The problem is what Steve just reinforced.

Either the response or the assertion MUST be signed. Signing neither MUST result in an SP failure. A successful outcome is a wide open security breach of that service.

But just setting both those properties to false doesn't absolutely imply no signing. WantAssertionsSigned="true" in SP metadata could be toggling one of them back on under the covers and obviating the apparent bug. But it gives you the set to triage immediately and verify whether that might be the case.

-- Scott

More information about the users mailing list