Closed peterox closed 6 years ago
The default behavior remains the same - SAML request/response signing is on by default. If the following Identity Provider attributes as explicitly set to false
, you can skip providing the certfile
and keyfile
attributes in the Service Provider configuration: sign_requests
, sign_metadata
, signed_assertion_in_resp
and signed_envelopes_in_resp
. Here is an example:
service_providers: [
%{
id: "do-good-affiliates-sp",
entity_id: "urn:do-good.org:affiliates-app"
}
],
identity_providers: [
%{
id: "affiliates",
sp_id: "do-good-affiliates-sp",
base_url: "http://do-good.org/sso",
metadata_file: "idp_metadata.xml",
#pre_session_create_pipeline: MySamlyPipeline,
#use_redirect_for_req: false,
sign_requests: false,
sign_metadata: false,
signed_assertion_in_resp: false,
signed_envelopes_in_resp: false,
allow_idp_initiated_flow: false,
allowed_target_urls: ["http://do-good.org"]
}
]
Hi there,
My understanding is that the certfile and key in the SP config is ONLY used for signing requests. The certificate in the metadata from the IDP is used to verify signed responses. Is that not correct?
If it is correct then why does signed_assertion_in_resp & signed_envelopes_in_resp need to be false when there is no certfile and/or key??
Peter
You are correct! Do you mind sending a PR? Thanks.
Thanks. Will update the doc.
If sign_requests and sign_metadata is set to false then there should be no need to supply a certificate or key.