Sign or not to Sign SAML AuthnRequest
Nat Gebremariam Nat Gebremariam

Sign or not to Sign SAML AuthnRequest

A couple of months ago, I ran into a SAML IdP that does not require AuthnRequest signature nor verifies the signature if one was signed. It was initially alarming - how would an IdP possibly know it's sending identity information to the right service provider unless the source of the SAML AuthnRequest is verified?

Hello, Man-In-The-Middle Attack!

Read More