Módosítások

Signing messages is quite common for front-channel messages but is normally unnecessary for back-channel, as the transport is usually secured by using authenticated with the certificates in the metadata. However, for back-channel logout it is the IdP who initiates the HTTP connection to the SP, and it is the '''webserver''', who answers the request. Because of the different needs, the webserver almost always uses a different certificate (a well-known server certificate) than the SP (possibly self-signed, client certificate). '''Therefore the SP must sign back-channel messages to authenticate itself to the IdP.'''{{INFO_EN|Signing can be turned on by specifying setting the '''<code>signing="</code>''' property to '''<code>true"</code>''' property of in the <code>ApplicationDefaults</code> or <code>ApplicationOverride</code> element in shibboleth2.xml. This is required for back-channel logout to work. Unfortunately, this enables signing all (transport protected) messages as well, which might affect performance. }}