saml2 mtls issue

Cantor, Scott cantor.2 at
Tue Nov 9 14:20:02 UTC 2021

SAML itself equates TLS and signing in metadata, there is no means of separating them.

Artifact itself is by and large unused anyway, so not supporting that is also usually an option.

You also don't need to sign anything unless you're trying to support logout, so not signing at all is probably an option.

You act as though the IdP gets a say in this; it does not. They're your keys. You decide what they are, it simply needs a means of trusting them, but it doesn't get to dictate the things you're just letting it dictate. There is no reason to require the signing and client TLS keys be separate and that's not even technically a thing the SAML standard would allow one to do.

-- Scott

More information about the users mailing list