Módosítások

;You have two choices* instruct the SP to sign messages * configure the IdP not to require authentication of logout messages (and bear with possible DOS-attacks)==== Signing messages is quite common ===={|{{prettytable}}|Signing can be turned on by setting the '''<code>signing</code>''' property to '''<code>front</code>''' (for front-channel only) or '''<code>true</code>''' in the <code>ApplicationDefaults</code> or <code>ApplicationOverride</code> element in shibboleth2.xml.|}{{NOTE_EN|Signing messages but is normally unnecessary for back-channel, as the transport is usually authenticated with the certificates in the metadata. However, for back-channel logout it is the IdP who initiates the HTTP connection to the SP, and it is the '''webserver''', who answers the request. Because of the different needs, the webserver almost always uses a different certificate (a well-known server certificate) than the SP (possibly self-signed, client certificate). '''Therefore the SP must sign back-channel messages as well to authenticate itself to the IdP.'''Unfortunately, you can only enable signing all (otherwise transport protected) messages, and this may affect performance. }}==== Not requiring peer authentication ===={|{{INFO_ENprettytable}}|Signing Message issuer authentication can be turned on off by changing the security policy of processing Single Logout messages. You can do this by setting commenting out the following line from the block '''<code>signingSAML2SLOSecurityPolicy</code>''' property to at '''<code>truerelying-party.xml</code>''' in the :::<codesource lang="xml">ApplicationDefaults<security:Rule xsi:type="security:MandatoryMessageAuthentication" /code> or <code>ApplicationOverride</codesource> element in shibboleth2.xml. This is required for back-channel logout to work. Unfortunately, this enables signing all (transport protected) messages as well, which might affect performance. }|}