pitbulk
commented
10 years ago Thanks for the info. Olav already said to us the same, that the patch may not be applied in production server. Only in testing server where not trusted certs are available.
Open peter- opened 10 years ago
pitbulk
commented
10 years ago Thanks for the info. Olav already said to us the same, that the patch may not be applied in production server. Only in testing server where not trusted certs are available.
Background: Use of self-signed certs for securing of SAML protocol messages is the recommended model today (based on http://saml2int.org/ which in turn references SAMLMetaIOP, which in section 2.6.1 basically removes the difference between sef-signed certs and CA-issued ones by explicitly ruling out PKIX trust path validation).
As such the method to just disable checking of clients certs wholesale in
sp_patch.diffseems not apppropriate. I'd still want the software to validate the client, but based on public keys in SAML metadata for that SP (the SOAP client), not PKIX trust path validation based on CA certs used for TLS/SSL.