Background: Use of self-signed certs for securing of SAML protocol messages is the recommended model today (based on http://saml2int.org/ which in turn references SAMLMetaIOP, which in section 2.6.1 basically removes the difference between sef-signed certs and CA-issued ones by explicitly ruling out PKIX trust path validation).
As such the method to just disable checking of clients certs wholesale in sp_patch.diff seems not apppropriate. I'd still want the software to validate the client, but based on public keys in SAML metadata for that SP (the SOAP client), not PKIX trust path validation based on CA certs used for TLS/SSL.
Thanks for the info.
Olav already said to us the same, that the patch may not be applied in production server.
Only in testing server where not trusted certs are available.
Background: Use of self-signed certs for securing of SAML protocol messages is the recommended model today (based on http://saml2int.org/ which in turn references SAMLMetaIOP, which in section 2.6.1 basically removes the difference between sef-signed certs and CA-issued ones by explicitly ruling out PKIX trust path validation).
As such the method to just disable checking of clients certs wholesale in
sp_patch.diff
seems not apppropriate. I'd still want the software to validate the client, but based on public keys in SAML metadata for that SP (the SOAP client), not PKIX trust path validation based on CA certs used for TLS/SSL.