Validating SAML signatures

Cantor, Scott cantor.2 at
Mon Nov 29 13:23:59 UTC 2021

Signing requests is silly, so generally speaking you're just wasting the time on trying to fix somebody else's bug that doesn't have a whole lot of impact. The IdP contains a setting now to ignore signed requests to deal with this sort of mess, again because it has no security implications.

For a signature to matter (and by matter I don't mean "provides much benefit"), the SP would have to be correlating responses and blocking unsolicited responses. I know of maybe 1 or 2 that do that that I've ever seen.

-- Scott

More information about the users mailing list