Support for X509SubjectName Name ID

Cantor, Scott cantor.2 at
Fri May 15 18:28:10 UTC 2020

On 5/15/20, 2:19 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

> So I could identify all these broken SPSs by setting signing to false for all SPs on a development IDP - and testing each 
> one? 

Yes. Installing a second unpublished signing key that's never shared and switching to it is another simple test that reveals exposures of a similar magnitude. Not checking keys is more common than literally not requiring a signature.

Honestly I have a handful of pen testing I have to do now because there are simply too many systems out there that are broken. I no longer consider even basic correctness to be a given now unless I know the implementation being used.

>Where would I set that value globally?

There is no one place, it's a profile-level setting. SAML2.SSO is the main bean you probably care about. Adjust the default relying party rule copy and get rid of any overrides. Or just set it across all the overrides if you still have lots of them. I don't use them very much now.

-- Scott

More information about the users mailing list