[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAMLResponse validation
Hi, I am currently implementing SAML SSO to a loadbalancer from a major vendor and I am having discussions with the vendor on correct SAMLResponse validation. I am acting as IDP and the vendor loadbalancer as SP. The loadbalancer does not support metadata import, but rather allows me to manually upload the IDP Certificate (along with endpoints and ID’s) My IDP certificate is MyIDP issued by MyCA. If uploading MyIDP (my first choice) as IDP Certificate the SAMLResponse validation fails. In order to pass SAMLResponse validation in the loadbalancer I need to upload MyCA as IDP Certificate. In my understanding this is clearly incorrect. In order to demonstrate the erroneous behavior I issued a new certificate MyFakeIDP (also issued by MyCA) and if using this as tokensigning certificate the loadbalancer readily accepts the SAMLResponse now signed by MyFakeIDP (unknown to the loadbalancer). I have made several attempts to argue with the vendors support – and they have sent me responses like: “If we look at the SAML Response, we can already see that the Public Certificate is being sent in the Response, and so it doesn't need to be configured on the Loadbalancer. The issuing Certificate needs to be configured in order to verify this public certificate. ” “…specially having to configure the Token Signing cert we think is not absolutely necessary” Can anybody clarify on this? Regards Peter Buus Signaturgruppen A/S Denmark |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]