CAS 6.3.7.3 Log4j always signing Assertion when built with saml-idp

29 views

Skip to first unread message

Matthew Gordon

unread,

Dec 15, 2021, 9:32:12 AM12/15/21

to CAS Community

After applying the latest 6.3 version to mitigate the log4j issue, all assertions seem to be signed despite "signAssertions": false, in the service config.

Any suggestions?

Thank you,

Matt

Matthew Gordon

unread,

Dec 15, 2021, 10:35:17 AM12/15/21

to CAS Community, Matthew Gordon

It was metadata related. It appears like it honors the metadata's preferences over the service config.

Changed:

<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

To:

<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

Thank you,

Matt

Reply all

Reply to author

Forward

0 new messages