1 260
szerkesztés
Módosítások
a
→Signing messages
|Signing can be turned on by setting the '''<code>signing</code>''' property to '''<code>front</code>''' (for front-channel only) or '''<code>true</code>''' in the <code>ApplicationDefaults</code> or <code>ApplicationOverride</code> element in shibboleth2.xml.
|}
{{NOTE_EN|Signing messages is normally unnecessary for back-channel, as the transport is usually authenticated with the certificates in the metadata. However, for back-channel logout it is the IdP who initiates the HTTP connection to the SP, and it is the '''webserver''', who answers the request. Because of the different needs, the webserver almost always uses a different certificate (a server certificate signed by a well-known server certificateCA) than the SP (possibly self-signed, client certificate). Therefore the SP must sign back-channel messages as well to authenticate itself to the IdP. Unfortunately, you can only enable signing all (otherwise transport protected) messages, and this may affect performance. }}
==== Not requiring peer authentication ====
{|{{prettytable}}
