request.sign vs. request.signing

49 views
Skip to first unread message

Jochen Lienhard

unread,
Apr 24, 2009, 3:49:57 AM4/24/09
to simple...@googlegroups.com
Hi,

I have a strange effect.

IdP = simplesamlphp (Saml2)
2 SPs = Shibboleth 2.x

When I have both in my metadata (saml2.idp.hosted) - request.sign = true
AND request.signing = true -
the logout works fine. If I remove request.singing = true from the
config, the second SP has a problem,
because the Logout request is not signed.

Could it be, that you have forget changing something?

My simplesaml is up to date (direct checkout).

Greetings

Jochen

--
Dr. rer. nat. Jochen Lienhard
UB Universität Freiburg
Dezernat EDV
Tel: (0761) 203-3908
Email: lien...@ub.uni-freiburg.de

Olav Morken

unread,
Apr 24, 2009, 4:03:12 AM4/24/09
to simple...@googlegroups.com
On Fri, Apr 24, 2009 at 09:49:57 +0200, Jochen Lienhard wrote:
>
> Hi,
>
> I have a strange effect.
>
> IdP = simplesamlphp (Saml2)
> 2 SPs = Shibboleth 2.x
>
> When I have both in my metadata (saml2.idp.hosted) - request.sign = true
> AND request.signing = true -
> the logout works fine. If I remove request.singing = true from the
> config, the second SP has a problem,
> because the Logout request is not signed.
>
> Could it be, that you have forget changing something?

The request.signing option still works because of backwards-
compatibility, but you should receive warnings in your log files:
Found deprecated 'request.signing' metadata

The correct name for the new option is 'redirect.sign', not
'request.sign'. It was changed since the option controls signing of
messages sent using the HTTP-Redirect binding. That includes both
request- and response-messages, and the original name was therefore a
bit misleading.

--
Olav Morken

Jochen Lienhard

unread,
Apr 24, 2009, 4:37:24 AM4/24/09
to simple...@googlegroups.com
thanks,
next time I should clean my eyeglasses and my monitor before asking ;-)

Olav Morken schrieb:


--

Reply all
Reply to author
Forward
0 new messages