[Satosa-dev] signed authn requests
17 Apr
2017
17 Apr
'17
9:04 p.m.
On 2017-04-17 21:01, Scott Koranda wrote:
Isn't that the federation operators job - to fix issues?
Doesn't it
make sense to let metadata govern this? Just lookup the IdP
in metadata and sign the authn request if "wantAuthnRequestSigned" flag
is set (at least thats what I think its called) ?
In an ideal federation, yes. Unfortunately we find some IdPs cannot
or will not update their metadata appropriately.
We could always provide our own copy of the IdP's metadata, but that
brings with it its own maintenance issues.
The primary reason for deploying the proxy is to work around limitations
of federated IdPs. This is just another example.
sure but how is keeping a local copy of the metadata any different (or
any simpler) than overriding metadata with local settings?
Thanks,
Scott K