You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There was an issue (#35) where the request was made about having the SignatureAlgorithm be determined by the contents of the response.
Currently, it appears that the SignatureAlgorithm must be configured to be the same on both the SP and IdP sides. If SP signs with sha1 and then IdP signs with sha256 then validation fails on Unbind calls.
I don't see anything in what I have looked up that says both sides need to use the same algorithm, but the current Saml2Configuration class only allows for setting a single property, so if the config is reused it essentially requires both sides to match.
Would you be open to having a second property that could be used for validating IdP signatures so they could be different (at least, if defined for the IdP then it uses that property, if not, then fall back to the current property)? Any other recommendations? Two configs seems odd if the SignatureAlgorithm is the only property set differently between them.
Otherwise, our customers have less flexibility and need to make sure they are the same when it doesn't appear to be a requirement of SAML.
Appreciate your input.
The text was updated successfully, but these errors were encountered:
There was an issue (#35) where the request was made about having the SignatureAlgorithm be determined by the contents of the response.
Currently, it appears that the SignatureAlgorithm must be configured to be the same on both the SP and IdP sides. If SP signs with sha1 and then IdP signs with sha256 then validation fails on Unbind calls.
I don't see anything in what I have looked up that says both sides need to use the same algorithm, but the current Saml2Configuration class only allows for setting a single property, so if the config is reused it essentially requires both sides to match.
Would you be open to having a second property that could be used for validating IdP signatures so they could be different (at least, if defined for the IdP then it uses that property, if not, then fall back to the current property)? Any other recommendations? Two configs seems odd if the SignatureAlgorithm is the only property set differently between them.
Otherwise, our customers have less flexibility and need to make sure they are the same when it doesn't appear to be a requirement of SAML.
Appreciate your input.
The text was updated successfully, but these errors were encountered: