Verification of signed AuthnRequests
Max Spicer
max.spicer at york.ac.uk
Mon Nov 22 11:04:33 UTC 2021
Does the IDP (4.0.1) always verify the signature on signed AuthnRequests
unless ignoreRequestSignatures
<https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631694/SAML2SSOConfiguration>
has been set to true?
We have an SP that is sending us signed AuthnRequests. We see occasional
signature verification issues for this SP and in investigating this I
discovered that that SP's advertised metadata did not match the metadata
for them that we have in our IdP. The new metadata contains only one key
with use="signing" and this key is different to the key in our metadata. We
have a relying party override for this SP to set signAssertions="true",
encryptAssertions="false".
The SP have confirmed that they are using the key in their advertised
metadata. We only get signed AuthnRequests from this SP, and so I cannot
understand how SSO is currently working if this is the case.
Thanks,
Max Spicer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211122/7885315d/attachment.htm>
More information about the users
mailing list