[Shib-Users] Shibboleth IdP - How to force AuthnRequests to be signed

[Chartrel, Olivier]

Hello,

 

I am currently configuring Shibboleth IdP v.2.1.2, SAML v.2.0 and POST profile, and I am facing a problem.

 

I want the Shibboleth IdP application to refuse AuthnRequest messages that are not signed by the Service Provider.

Is there a way to do so with Shibboleth IdP application ?

If so, could you indicate me how to do it ?

 

Thank you in advance for your answers…

 

Regards,

Olivier CHARTREL

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

[Chad La Joie]

In the relying-party.xml, look at the bottom, past the part that says
"DO NOT EDIT BELOW THIS POINT" and look at the SAML 2 attribute query
security policy. See the security policy rules
"ProtocolWithXMLSignature" and "MandatoryMessageAuthentication"? Copy
and paste those in to the SAML 2 SSO security policy. You might also
consider copying the "SAML2HTTPPostSimpleSign" if you're okay treating
SimpleSign sigatures the same way as XML signatures.

If you're going to do this make sure your IdP's metadata also indicates
that it requires signed authentication requests.

Chartrel, Olivier wrote:
> Hello,
>
> I am currently configuring Shibboleth IdP v.2.1.2, SAML v.2.0 and POST profile, and I am facing a problem.
>
> I want the Shibboleth IdP application to refuse AuthnRequest messages that are not signed by the Service Provider.
> Is there a way to do so with Shibboleth IdP application ?
> If so, could you indicate me how to do it ?
>

> Thank you in advance for your answers...
>
> Regards,
> Olivier CHARTREL
> </PRE><p style="font-family:arial;color:grey" style="font-size:13px">This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.</p><PRE>
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch

[Paul Hethmon]

On 8/20/09 8:33 AM, "Chartrel, Olivier" <olivier....@capgemini.com> wrote:

I want the Shibboleth IdP application to refuse AuthnRequest messages that are not signed by the Service Provider.
Is there a way to do so with Shibboleth IdP application ?
If so, could you indicate me how to do it ?

Make sure the SP metadata indicates that AuthnRequests must be signed. That is the SP metadata you load into Shib.

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

God does not play dice with the universe; He plays an ineffable game of his own devising, which might be compared, from the perspective of any of the other players, to being involved in an obscure and complex version of poker in a pitch dark room, with blank cards, for infinite stakes, with a dealer who won't tell you the rules, and who smiles all the time.

 -- Terry Pratchett, Good Omens