[overlord-issues] [JBoss JIRA] (SRAMP-436) Overlord SSO (IDP/SP) needs to have SAML assertion sigs enabled by default
Eric Wittmann (JIRA)
issues at jboss.org
Thu May 15 10:51:57 EDT 2014
[ https://issues.jboss.org/browse/SRAMP-436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12968162#comment-12968162 ]
Eric Wittmann commented on SRAMP-436:
-------------------------------------
Note: the saml bearer token auth technique *is* signing the assertions by default. But the SSO doesn't sign its assertion prior to returning it to the SP. And the SP doesn't check for a sig. Both of these need to be fixed. I anticipate that a resulting challenge will be how to configure the path to the keystore. Perhaps we can have custom versions of the servlet filters which can do platform-specific searching for it.
> Overlord SSO (IDP/SP) needs to have SAML assertion sigs enabled by default
> --------------------------------------------------------------------------
>
> Key: SRAMP-436
> URL: https://issues.jboss.org/browse/SRAMP-436
> Project: S-RAMP
> Issue Type: Enhancement
> Security Level: Public(Everyone can see)
> Reporter: Eric Wittmann
> Assignee: Eric Wittmann
> Fix For: 0.5.0 - API Management
>
>
> Currently we're not signing the saml assertions. We need to do that.
--
This message was sent by Atlassian JIRA
(v6.2.3#6260)
More information about the overlord-issues
mailing list