[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Global Logout issues with 2-way SSL
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2014-12-18 18:12:56
Message-ID: C697FD2F-82B4-4AC4-9859-96CDB0B7F5D3 () osu ! edu
[Download RAW message or body]

Please don't send the same message to two lists.


On 12/18/14, 6:05 PM, "federator" <wpadmin@identiainc.com> wrote:

>There is no way the SP is able to obtain the client's cert.  The question 
>is, is there anyway to define the OpenSAML security policy rule to use 
>SP's cert instead of the user cert to process the global logout message? 

Brent noted that this was a bug in V2 when I was building the same code in 
V3.

> Where is the configuration file that defines
> the OpenSAML's ClientCertAuthRule or how to define the rule 
>declaratively?

It's in the DONOTTOUCH sections at the end of the relying-party file in 
the security policy chains used by different profiles. The logout one is 
using a single policy for both front and back channel messages, and the 
client auth rule is there for the back-channel and would have to be turned 
off.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]