OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAMLResponse validation



I am currently implementing SAML SSO to a loadbalancer from a major vendor and I am having discussions with the vendor on correct SAMLResponse validation.

I am acting as IDP and the vendor loadbalancer as SP.


The loadbalancer does not support metadata import, but rather allows me to manually upload the IDP Certificate (along with endpoints and ID’s)

My IDP certificate is MyIDP issued by MyCA.

If uploading MyIDP (my first choice) as IDP Certificate the SAMLResponse validation fails.

In order to pass SAMLResponse validation in the loadbalancer I need to upload MyCA as IDP Certificate. 

In my understanding this is clearly incorrect. In order to demonstrate the erroneous behavior I issued a new certificate MyFakeIDP (also issued by MyCA) and if using this as tokensigning certificate the loadbalancer readily accepts the SAMLResponse now signed by MyFakeIDP (unknown to the loadbalancer).


I have made several attempts to argue with the vendors support – and they have sent me responses like:


If we look at the SAML Response, we can already see that the Public Certificate is being sent in the Response, and so it doesn't need to be configured on the Loadbalancer. The issuing Certificate needs to be configured in order to verify this public certificate. 


…specially having to configure the Token Signing cert we think is not absolutely necessary


Can anybody clarify on this?





Peter Buus

Signaturgruppen A/S



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]