I'm looking at setting up an an IdP to handle SSO initiated by the SP. I was surprised at first to find that my SP's request was unsigned as I had not yet found that signing was optional in this case. My understanding now is that the reason it's optional is because all of the data contained by the message has (presumably) already been exchanged in an outside channel via the SP's metadata. But that would mean in order to remain secure, since we don't have proof the requester is who they claim to be, the metadata must be used for all other values needed from an unsigned request, right? So can you confirm that for unsigned requests, things like the AssertionConsumerServiceURL and NameIDPolicy are coming from the metadata (by way of the SAML config) and not from the request XML?
|