[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAMLResponse validation
Peter Buus wrote at 2017-6-26 10:18 +0200: >I am currently implementing SAML SSO to a loadbalancer from a major vendor and I am having discussions with the vendor on correct SAMLResponse validation. > >I am acting as IDP and the vendor loadbalancer as SP. > >The loadbalancer does not support metadata import, but rather allows me to manually upload the IDP Certificate (along with endpoints and ID’s) > >My IDP certificate is MyIDP issued by MyCA. > >If uploading MyIDP (my first choice) as IDP Certificate the SAMLResponse validation fails. > >In order to pass SAMLResponse validation in the loadbalancer I need to upload MyCA as IDP Certificate. Strange. Are you sure that you sign the response with the private key associated with "MyIDP" (and not "MyCA")? If this is the case, then "MyCA" should not be able to verify the signature (but onle "MyIDP") and if your response does not contain "MyIDP", then the knowledge of "MyCA" (alone) should not be able to guess "MyIDP". -- Dieter
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]