When going to the admin page for SAML Authentication under the security checkboxes there is an option to require signed messages, but not an option to require signed assertions.

They sign the assertions and not the messages with the current IdP I am working with. It would be helpful to have an additional checkbox under security, something like 'Request assertions to be signed'. If you checked it the SAML Onelogin settings would get 'wantAssertionsSigned' => TRUE. This would provide an additional security check.

It would also be good if you could set the 'strict' OneLogin/php-saml option from this admin page also. This is always supposed to be switched on in production environments and it would be good if you could set this from a variable or through the GUI.

Comments

apbenner created an issue. See original summary.

richardbporter’s picture

richardbporter commented

Have you tried the 8.x-2.0-alpha1 version? Both those options are available with that version.

I just noticed this is for 7.x. Apologies.

  • roderik committed 090363c on 7.x-1.x 
    Issue #3004680 by roderik: take over configuration options from D8...
roderik’s picture

roderik
Primary language Dutch
Location Amsterdam,NL / Budapest,HU
commented
Status: Active » Fixed

Strict option was added in #3043713: Do not use insecure SHA-1 digest and use strict response checking.

I unified the settings screen (mostly) with the D8 version, and added a 'wantAssertionsSigned' configuration option which we didn't have yet.

  • roderik committed 8442fab on 8.x-3.x 
    Issue #3004680 by roderik: add wantAssertionsSigned config option (and...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.