Support for X509SubjectName Name ID
Cantor, Scott
cantor.2 at osu.edu
Fri May 15 18:28:10 UTC 2020
On 5/15/20, 2:19 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> So I could identify all these broken SPSs by setting signing to false for all SPs on a development IDP - and testing each
> one?
Yes. Installing a second unpublished signing key that's never shared and switching to it is another simple test that reveals exposures of a similar magnitude. Not checking keys is more common than literally not requiring a signature.
Honestly I have a handful of pen testing I have to do now because there are simply too many systems out there that are broken. I no longer consider even basic correctness to be a given now unless I know the implementation being used.
>Where would I set that value globally?
There is no one place, it's a profile-level setting. SAML2.SSO is the main bean you probably care about. Adjust the default relying party rule copy and get rid of any overrides. Or just set it across all the overrides if you still have lots of them. I don't use them very much now.
-- Scott
More information about the users
mailing list