AW: saml2 mtls issue

Tue Nov 9 15:08:56 UTC 2021

Hello Scott,

thank you very much for your quick reply. Could you please provide me with a reference for "... and that's not even technically a thing the SAML standard would allow one to do.". The IDP is asking for it 🙁

Kind regards
Corin

________________________________
Von: users <users-bounces at shibboleth.net> im Auftrag von Cantor, Scott <cantor.2 at osu.edu>
Gesendet: Dienstag, 9. November 2021 15:20
An: Shib Users <users at shibboleth.net>
Betreff: Re: saml2 mtls issue

SAML itself equates TLS and signing in metadata, there is no means of separating them.

Artifact itself is by and large unused anyway, so not supporting that is also usually an option.

You also don't need to sign anything unless you're trying to support logout, so not signing at all is probably an option.

You act as though the IdP gets a say in this; it does not. They're your keys. You decide what they are, it simply needs a means of trusting them, but it doesn't get to dictate the things you're just letting it dictate. There is no reason to require the signing and client TLS keys be separate and that's not even technically a thing the SAML standard would allow one to do.

-- Scott

--
For Consortium Member technical support, see https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7CCorin.Langosch%40swisscom.com%7C9bf9e64220fc48f6201a08d9a38c1810%7C364e5b87c1c7420d9beec35d19b557a1%7C0%7C0%7C637720644360236951%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NFOkHXJ%2FQgxcz4uae3jfxa98xTU0LomGExpRUE4r1%2F8%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211109/085cf1cb/attachment.htm>