Yeah, there is
IdP SSO Metadata wantAuthnRequestsSigned
and
SP SSO Metadata authnRequestsSigned
The first is to indicate that IdP should enforce signatures for authnrequests. The second
one to indicate if authn requests must be signed by the SP.
This is something we need to review in PL IdP. Today it is only considering the
authnRequestsSigned from SP metadata. But it should also understand
wantAuthnRequestsSigned.
The same thing at the SP side, we need to consider authnRequestsSigned. And this is what
Adam is looking for ...
Regards.
----- Original Message -----
From: "Mike Cirioli" <mcirioli(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: "Adam Dong" <adamdong(a)vidder.com>, security-dev(a)lists.jboss.org
Sent: Thursday, October 16, 2014 1:58:51 PM
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
I think you are correct Pedro, i was not thinking about the fact that
enabling signing at the IdP side is separate from the SP side as well.
Checking the configs on my dev idp I see the following:
For my IdP:
picketlink.xml -> supportSignatures=true
sp-metadata.xml wantAssertionsSigned=true authnRequestsSigned=false
for my test SP:
picketink,xml --> SupportsSignature=true
Looking at the SAMLtracer output, i see that the incoming authn request
is being signed, but that the IdP is not validating the signature.
-mike
On 10/16/2014 12:15 PM, Pedro Igor Silva wrote:
But I think we had an issue to change this behavior and always sign
AuthnRequest when signatures are enabled. Maybe you are supporting that because you're
not considering latest changes.
----- Original Message -----
From: "Mike Cirioli" <mcirioli(a)redhat.com>
To: "Adam Dong" <adamdong(a)vidder.com>, "Pedro Igor Silva"
<psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Thursday, October 16, 2014 1:12:06 PM
Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
Adam -
If i understand what you are asking correctly, that is exactly the
scenario we have for all the SP's available through our internal
PicketLink IdP. Authn requests are not signed, but all assertions are
being signed by the IdP and validated by the SP's.
-mike
On 10/16/2014 12:08 PM, Adam Dong wrote:
> I see, that is PicketLink's IDP behavior.
>
> The IDP (from another vender) that my picketlink SP is interaction with does NOT want
signed AuthnRequest, but it will sign assertion in response.
>
> So my question is from my picketlink SP point of view: could it be configured to not
sign AuthnRequest, but still be able to verify signature of assertion in response.
>
> Thanks,
> Adam
>
> -----Original Message-----
> From: Pedro Igor Silva [mailto:psilva@redhat.com]
> Sent: Thursday, October 16, 2014 9:02 AM
> To: Adam Dong
> Cc: security-dev(a)lists.jboss.org
> Subject: Re: [security-dev] How to configure ServiceProviderAuthenticator to do this
?
>
> If your IdP is configured to support signatures and you send a unsigned AuthnRequest,
it will allow you to authenticate. However, once you submit your credentials the IdP will
process the AuthnRequest (which was previously stored) and it will fail because it is not
signed.
>
> So the SAML response/assertion will never be sent to the SP.
>
> ----- Original Message -----
> From: "Adam Dong" <adamdong(a)vidder.com>
> Cc: security-dev(a)lists.jboss.org
> Sent: Thursday, October 16, 2014 12:54:13 PM
> Subject: [security-dev] How to configure ServiceProviderAuthenticator to do this ?
>
>
> To send AuthnRequest without signature (without signing), but can still verify the
signature of assertion in the response ?
>
> Thanks,
> Adam
>
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/security-dev
>
> _______________________________________________
> security-dev mailing list
> security-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/security-dev