Support for X509SubjectName Name ID
Cantor, Scott
cantor.2 at osu.edu
Fri May 15 17:49:25 UTC 2020
On 5/15/20, 1:43 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> Ah, I see. Is it just the Responses or the Assertions too?
Signing responses is sufficient and is the default. Signing assertions is generally a waste of time, and the specification requires that either be allowed, so any SP requiring signed assertions has a bug. But they exist. I don't waste time turning response signing off for those cases, it's not worth the trouble. I don't think I have any active integrations that are so broken they can't handle a signed response.
-- Scott
More information about the users
mailing list