Simple signature validation

Cantor, Scott cantor.2 at
Thu Oct 13 00:04:23 UTC 2022

>    The SP has a portal where I submit the certificate and generate it's
> metadata. That's what I put in our IDP. There techs said that is the
> certificate used to sign the request. 

They're wrong, starting with the fact that public keys and certificates don't create signatures, private keys do. You can't be uploading a certificate that does anything related to this problem unless you're also uploading the corresponding private key for it to use, which would be silly to do.

You can upload *your* certificate, you can't upload theirs. It has to come from them.

They also shouldn't be signing the AuthnRequests in the first place, that's not a useful thing to do.

Then there's the fact that OpenSAML 3 is end-of-life and unsupported...

-- Scott

More information about the users mailing list