Marek Denis
2014-08-19 14:21:08 UTC
Hello,
Continuing this thread. I am currently in the middle of writing a
piece of software for creating a SAML assertion to be consumed by a
SP. Providing I already know what is the SP endpint
(sp.com/Shibboleth.sso/SAML2/POST) I shall use for sending my saml
assertion do I actually need any other information from the SP
Metadata? Why would SP expose it's public key? Is it used for
validating that SAML request was issued and unchanged somewhere
between SP and IDP?
Thanks.
requires spoofing a request from an SP, and yes, that can break some SP
implementations. Doesn't affect mine of course.
Ah, right. So you'd simply do that in your ECP client too.
(Ignoring for the moment what the OP's percieved problem with
SP-initiated is, or how an agent controlling an ECP client would even
know the difference.)
-peter
--
Continuing this thread. I am currently in the middle of writing a
piece of software for creating a SAML assertion to be consumed by a
SP. Providing I already know what is the SP endpint
(sp.com/Shibboleth.sso/SAML2/POST) I shall use for sending my saml
assertion do I actually need any other information from the SP
Metadata? Why would SP expose it's public key? Is it used for
validating that SAML request was issued and unchanged somewhere
between SP and IDP?
Thanks.
Not sure you can have unsolicited responses with ECP, from the top of
my head. For one I think the IDP would need an endpoint to do
IDP-initiated ECP, which probably no IDP has.
Strictly speaking, true. So I should amend my answer to say that itmy head. For one I think the IDP would need an endpoint to do
IDP-initiated ECP, which probably no IDP has.
requires spoofing a request from an SP, and yes, that can break some SP
implementations. Doesn't affect mine of course.
(Ignoring for the moment what the OP's percieved problem with
SP-initiated is, or how an agent controlling an ECP client would even
know the difference.)
-peter
--
--
Marek Denis
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Marek Denis
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org