I don't think so. That would be a RFE :)
Everything is signed when you enable signatures ....
Feel free to open a JIRA. That is something easy to support ...
----- Original Message -----
From: "Adam Dong" <adamdong(a)vidder.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Thursday, October 16, 2014 1:08:10 PM
Subject: RE: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
I see, that is PicketLink's IDP behavior.
The IDP (from another vender) that my picketlink SP is interaction with does NOT want
signed AuthnRequest, but it will sign assertion in response.
So my question is from my picketlink SP point of view: could it be configured to not sign
AuthnRequest, but still be able to verify signature of assertion in response.
Thanks,
Adam
-----Original Message-----
From: Pedro Igor Silva [mailto:psilva@redhat.com]
Sent: Thursday, October 16, 2014 9:02 AM
To: Adam Dong
Cc: security-dev(a)lists.jboss.org
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
If your IdP is configured to support signatures and you send a unsigned AuthnRequest, it
will allow you to authenticate. However, once you submit your credentials the IdP will
process the AuthnRequest (which was previously stored) and it will fail because it is not
signed.
So the SAML response/assertion will never be sent to the SP.
----- Original Message -----
From: "Adam Dong" <adamdong(a)vidder.com>
Cc: security-dev(a)lists.jboss.org
Sent: Thursday, October 16, 2014 12:54:13 PM
Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
To send AuthnRequest without signature (without signing), but can still verify the
signature of assertion in the response ?
Thanks,
Adam
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev