OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAMLResponse validation

Peter Buus wrote at 2017-6-26 10:18 +0200:
>I am currently implementing SAML SSO to a loadbalancer from a major vendor and I am having discussions with the vendor on correct SAMLResponse validation.
>I am acting as IDP and the vendor loadbalancer as SP.
>The loadbalancer does not support metadata import, but rather allows me to manually upload the IDP Certificate (along with endpoints and ID’s)
>My IDP certificate is MyIDP issued by MyCA.
>If uploading MyIDP (my first choice) as IDP Certificate the SAMLResponse validation fails.
>In order to pass SAMLResponse validation in the loadbalancer I need to upload MyCA as IDP Certificate.


Are you sure that you sign the response with the private key
associated with "MyIDP" (and not "MyCA")?

If this is the case, then "MyCA" should not be able to verify
the signature (but onle "MyIDP") and if your response does
not contain "MyIDP", then the knowledge of "MyCA" (alone)
should not be able to guess "MyIDP".


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]