<div dir="ltr">Hi,<div><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i>I am new to shibboleth and working on configuring our IdP with FortiPortal. We want to use</i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i>IdP initiated SSO, and we also use IdP initiated SSO for some other vendors and those working fine</i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i>My question is related to use of </i><i>AuthnRequestsSigned="true" </i><i>in the FortiPortal SP metadata. In their metadata </i>AuthnRequestsSigned attribute is<i style="font-family:Arial,Helvetica,sans-serif"> set it to true,</i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i style="font-family:Arial,Helvetica,sans-serif"> as they would like it set, then I get this error on the</i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i>IdP:
</i>ERROR [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:87] - SPSSODescriptor for entity ID '-----' indicates AuthnRequests must be signed, but inbound message was not signed</pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">16:44:54.524 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:406] - Message did not meet security requirements<br>org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest was required to be signed but was not<i>
</i><i>
</i><i> Is there a way to configure IdP initiated SSO for AuthnRequestsSigned="true"
</i><i> without breaking our other IdP initiated SSO implementations? what changes can we do in relying party to resolve this issue?</i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i>These config are present in my relying-party.xml:</i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i><br></i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"> <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" <br> assertionLifetime="PT5M" assertionProxyCount="0" <br> signResponses="conditional" signAssertions="always" <br> encryptAssertions="never" encryptNameIds="never"<br> includeConditionsNotBefore="true"/><i><br></i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType"><br> <security:Rule xsi:type="samlsec:Replay"/><br> <security:Rule xsi:type="samlsec:IssueInstant"/><br> <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/><br> <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/><br> <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/><br> <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/><br> <security:Rule xsi:type="samlsec:MandatoryIssuer"/><br> </security:SecurityPolicy></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">Is there any changes can be done in these so it works fine and I want to add one more point if I comment
<security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
this line then it does not show error in log but I get redirect to fortiportal errorSamlSSO page :https:<Forti_Portal>/fpc/login/errorSamlSSO</pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)">Can anyone please suggest me the way what changes can be done at IDP side so that AuthRequest get signed.
<i> </i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i>Thanks and Regards,</i></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><i>Abhishek</i></pre></div></div>