Simple signature validation
Cantor, Scott
cantor.2 at osu.edu
Thu Oct 13 00:04:23 UTC 2022
> The SP has a portal where I submit the certificate and generate it's
> metadata. That's what I put in our IDP. There techs said that is the
> certificate used to sign the request.
They're wrong, starting with the fact that public keys and certificates don't create signatures, private keys do. You can't be uploading a certificate that does anything related to this problem unless you're also uploading the corresponding private key for it to use, which would be silly to do.
You can upload *your* certificate, you can't upload theirs. It has to come from them.
They also shouldn't be signing the AuthnRequests in the first place, that's not a useful thing to do.
Then there's the fact that OpenSAML 3 is end-of-life and unsupported...
-- Scott
More information about the users
mailing list