Fixed
Pinned fields
Click on the next to a field label to start pinning.
Details
Details
Assignee
Scott Cantor
Scott CantorReporter
myhandisadolphin@mailinator.com
myhandisadolphin@mailinator.comComponents
Fix versions
Affects versions
Created November 19, 2013 at 11:14 AM
Updated June 29, 2016 at 4:22 PM
Resolved May 11, 2016 at 9:04 PM
We have an IdP provider that accepts AuthnRequests in two ways:
Unsigned via HTTP-Redirect
Signed via HTTP-POST
Any other combination is not accepted, e.g. an unsigned AuthnRequest via HTTP-POST will not be accepted.
We are currently in the process of migrating from the first to the second option, and during the transition period it would be nice to have both options available. It is currently already possible to create two separate SessionInitiators for the same IdP, one using HTTP-Redirect and the other one using HTTP-POST – with the implicit understanding that you need to explicitly visit the secondary SessionInitiator's URL to trigger it, which is fine.
However, the option of signing the AuthnRequests can only be set at the IdP level, either via the signing attribute on a RelayingParty/ApplicationDefaults XML element in the config, or via the WantAuthnRequestsSigned attribute in IdP metadata. It would be nice to be able to additionally have requests signed by setting a flag at the SessionInitiator level.
Attached is a quick and dirty patch that brings the equivalent of the WantAuthnRequestsSigned flag on IdP metadata down to the SessionInitiator level. I tested it and it works fine, but it's up to your consideration.