Support for X509SubjectName Name ID
Ullfig, Roberto Alfredo
rullfig at uic.edu
Fri May 15 18:19:23 UTC 2020
So I could identify all these broken SPSs by setting signing to false for all SPs on a development IDP - and testing each one? Where would I set that value globally?
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Architecture and Development | ACCC
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Friday, May 15, 2020 12:49 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Support for X509SubjectName Name ID
On 5/15/20, 1:43 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> Ah, I see. Is it just the Responses or the Assertions too?
Signing responses is sufficient and is the default. Signing assertions is generally a waste of time, and the specification requires that either be allowed, so any SP requiring signed assertions has a bug. But they exist. I don't waste time turning response signing off for those cases, it's not worth the trouble. I don't think I have any active integrations that are so broken they can't handle a signed response.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200515/63cfde4f/attachment.htm>
More information about the users
mailing list