[jboss-jira] [JBoss JIRA] (WFLY-9614) Make keystore optional in SSO configuration

Make keystore optional in SSO configuration ------------------------------------------- Key: WFLY-9614 URL: https://issues.jboss.org/browse/WFLY-9614 Project: WildFly Issue Type: Bug Components: Security, Web (Undertow) Affects Versions: 11.0.0.Final Reporter: Martin Choma Keystore is required [1], thus signing logout message by default. Questionable is if security brought by this is worth default command complexity as: * Integrity of messages could be achieved on node to node communication level * If message was not signed, attacker needs to know http session id to do a harm. Once attacker knows http session id, he can do a lot more useful attacks then logout user. Some long communication on topic occured on Wildfly Elytron hipchat room 2017-12-7 - 2017-12-11. [1] https://docs.jboss.org/author/display/WFLY/Web+Single+Sign-On