OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SAMLResponse validation

> Strange.
>
> Are you sure that you sign the response with the private key associated with "MyIDP" (and not "MyCA")?
>
> If this is the case, then "MyCA" should not be able to verify the signature (but onle "MyIDP") and if your response does not contain "MyIDP", then the knowledge of "MyCA" 
>  (alone) should not be able to guess "MyIDP".

Yes - I am sure the scenario is as described
Yes - I am convinced that this is an obvious and severe error in the loadbalancers SAML validation
No - I have not been able to make the vendor realize their error
No - I have not been able to find the specification stating that you need to validate the SAML Assertion against the IDP certificate - and not just the issuing CA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]