Right. That is why I told you that I get your point.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, November 7, 2014 12:01:56 PM
Subject: Re: SAML IDP defaults
The way SAML is architected, if the SP accepts unverifiable requests,
then anybody can spoof the IDP, and there really is no security.
On 11/7/2014 8:37 AM, Pedro Igor Silva wrote:
I'm not sure Bill. There a number of different use cases, people
should choose what they want. Not sure if it is a good thing to force users to always use
signatures.
If you want to provide a good interoperability with others implementations, better to
keep these options.
I understand your point, but I don't think this would be appealing to your community
(and users from PL and other vendors).
Maybe you can just organize better that UI in order to make it more simple and avoid user
mistakes.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org, "Pedro Igor Silva" <psilva(a)redhat.com>
Sent: Wednesday, November 5, 2014 12:25:10 PM
Subject: SAML IDP defaults
I think there is too many configuration options for Keycloak SAML IDP
support. Don't you think it is safe to require that
1) IDP always signs SAML documents
2) Require SP to also always sign documents
#1 should definitely be a default and unchangable. Can't the SP just
ignore it anyways? Not sure about #2.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com