This repository has been archived by the owner on Nov 29, 2022. It is now read-only.
SES-45: Problematic logic regarding whether requests are signed #51
Labels
in: core
An issue in spring-security-saml-core
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Milestone
Comments
|
Rob Moore said: Here's another case with a similar issue: http://www.novell.com/support/viewContent.do?externalId=7005337&sliceId=1 |
|
Rob Moore said: Change to sign requests if either the SP has stated it will sign them or if the IDP has requested that they be signed. |
|
Vladimir Schäfer said: Resolved by applying the supplied patch. |
spring-projects-issues
added
in: core
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Rob Moore (Migrated from SES-45) said:
Currently the generated metadata states that requests will be signed. However, the code relies on the IDP's metadata to determine if the requests should be signed (see line 92 of WebSSOProfileImpl). This results in a case where Microsoft ADFS (formerly Geneva) rejects the request because it does not require authentication requests be signed as an IDP but enforces the SP's assertion that it will sign requests it sends to the IDP.
This can be worked around if the IDP is configured to require signed requests (http://social.msdn.microsoft.com/Forums/en/Geneva/thread/88394bb2-9dad-45fd-8dfa-60155d2af37c) but there may be instances where this kind of configuration isn't possible across the board (that is, there may be a mix of SP types -- some that support/require signing and some that do not).
I suggest that the SP's descriptor's value be used instead or that both descriptors be consulted to determine whether signing is required.
The text was updated successfully, but these errors were encountered: