[jboss-identity-issues] [JBoss JIRA] Updated: (JBID-160) IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures

IDPWebBrowserSSOValve: by default sign outgoing messages and ignore incoming signatures --------------------------------------------------------------------------------------- Key: JBID-160 URL: https://jira.jboss.org/jira/browse/JBID-160 Project: JBoss Identity Issue Type: Feature Request Components: Identity-Federation Affects Versions: IDFED-1.0.0.alpha4 Reporter: Marcel Kolsteren Assignee: Anil Saldhana Fix For: IDFED-1.0.0.beta1 The current version of IDPWebBrowserSSOValve has a supportSignature property that controls the use of signatures. When signature support is on (which is the default), the outgoing messages are signed, while incoming messages are rejected if they don't have a valid signature. In the Web Browser SSO profile, where the SP is the relying party, it is very important that the SP validates the authenticity and integrity of authentication responses received from the IDP. The other way around, it is less important for the IDP to validate incoming messages. Therefore, the IDPWebBrowserSSOValve should at least have support for the situation where only the outgoing messages are signed. Therefore, the intention is to replace the supportSignature property with two properties: - ignoreIncomingSignatures (default: true) - signOutgoingMessages (default: true)