Validating SAML signatures
Cantor, Scott
cantor.2 at osu.edu
Mon Nov 29 13:23:59 UTC 2021
Signing requests is silly, so generally speaking you're just wasting the time on trying to fix somebody else's bug that doesn't have a whole lot of impact. The IdP contains a setting now to ignore signed requests to deal with this sort of mess, again because it has no security implications.
For a signature to matter (and by matter I don't mean "provides much benefit"), the SP would have to be correlating responses and blocking unsolicited responses. I know of maybe 1 or 2 that do that that I've ever seen.
-- Scott
More information about the users
mailing list