[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAMLResponse validation
> Strange. > > Are you sure that you sign the response with the private key associated with "MyIDP" (and not "MyCA")? > > If this is the case, then "MyCA" should not be able to verify the signature (but onle "MyIDP") and if your response does not contain "MyIDP", then the knowledge of "MyCA" > (alone) should not be able to guess "MyIDP". Yes - I am sure the scenario is as described Yes - I am convinced that this is an obvious and severe error in the loadbalancers SAML validation No - I have not been able to make the vendor realize their error No - I have not been able to find the specification stating that you need to validate the SAML Assertion against the IDP certificate - and not just the issuing CA
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]