[OPENAM-5260] Provide option to only sign Response when using HTTP-POST binding Created: 09/Dec/14 Updated: 20/Nov/16 Resolved: 23/Dec/14
|Affects Version/s:||10.0.0, 10.0.2, 11.0.0, 11.0.2, 12.0.0|
|Fix Version/s:||10.0.3, 11.0.3, 12.0.1, 13.0.0|
|Reporter:||Jonathan Thomas||Assignee:||Jonathan Thomas|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Support Ticket IDs:|
For HTTP-POST binding to when sending a response to SP the current behaviour is:
1) Sign the Response based on the signResponse (SP>Assertion Content >Post Response Signed) flag.
This was based on original ``184.108.40.206 POST-Specific Processing Rules`` in SAML profiles spec saml-profiles-2.0-os.pdf states
Need to update behaviour in IDPSSOUtil.sendResponse() (POST-Binding) to
2) If signResponse = false the assertion must be signed (SP>Assertion Content > Artifact Response Signed)
|Comment by Jonathan Thomas [ 09/Dec/14 ]|
Introduced current behaviour.
|Comment by Jean-Luc Le Corre [X] (Inactive) [ 23/Dec/14 ]|
Fix received and applied. Works now as expected.
Jean-Luc Le Corre
|Comment by Jonathan Thomas [ 23/Dec/14 ]|
Fixed with r12007 trunk, r12008 12.0.x, r12009 11.0.x, r12010 10.0.x