scantor
commented
5 years ago Closing in favor of a new PR to make some revisions.
Closed scantor closed 5 years ago
scantor
commented
5 years ago Closing in favor of a new PR to make some revisions.
I reordered the IDP04-IDP06 items for better continuity in addition to the proposed changes. One change I made that is line with how I meant things but was not clear from the wording is that it actually makes it possible for IdPs to simply refuse to attempt signature verification as long as they fail if a request is signed. The rationale is around allowing throttling by IdPs to limit the computational cost if somebody fed in thousands of signed requests.
I decided against adding an SP item for "SP's may sign request" but could be persuaded to do so. The best argument for including it would necessitate explaining that older saml2int explicitly allowed IdPs to ignore signatures.