I am trying to bypass the behind the scenes key signature
validation for many of the schools that will be using our SP. I think I have
the problem traced to there being a key entry in the federation metadata, but
no key info. As a result the signature validation for the soap message fails.
How do I work around this? I don’t want to have to go into shibboleth
and modify the code.
Law Software Engineer
Wolters Kluwer Health Medical Research
Williams & Wilkins
9350 South 150 East, Suite 200
Sandy, UT 84070-2702
Notice: This email and its attachments (if any) contain confidential
information of the sender. The information is intended only for the use by the
direct addressees of the original sender of this email. If you are not an intended
recipient of the original sender (or responsible for delivering the message to
such person), you are hereby notified that any review, disclosure, copying,
distribution or the taking of any action in reliance of the contents of and
attachments to this email is strictly prohibited. If you have received this
email in error, please immediately notify the sender at the address shown
herein and permanently delete any copies of this email (digital or paper) in
Law, Robert wrote on 2009-06-18:
> I am trying to bypass the behind the scenes key signature validation for
> many of the schools that will be using our SP.
You can't disable it selectively. Take out the existing policy rule for XML
Signatures and add in a NullSecurity rule, and any assertion will be
accepted if it claims to be from a known IdP. It's for debugging, but it
will do what you're asking.
But you cannot just do it for "many" of them. It's either secured or not. If
you turn off security, the whole point is that anybody can claim to be
> I think I have the problem
> traced to there being a key entry in the federation metadata, but no key
That is not a problem, that's handled by the PKIX TrustEngine. If you
disable PKIX validation, then it's quite definite that not including any key
in the metadata will fail, but you don't need to disable that TrustEngine.
Nothing we say or document would indicate to do this.
> As a result the signature validation for the soap message fails. How
> do I work around this? I don't want to have to go into shibboleth and
> modify the code.
The response to this, assuming you have both TrustEngines enabled, would be
to report the problem to the federation or to the IdPs involved.
I more or less said the same things yesterday. Since I'm apparently not able
to explain this adequately, hopefully Nate or someone more able will help