Shibboleth Developers

["Scott Cantor" <>]

> I guess we get away without mutual authentication at the TLS level in 
> browser applications because the user authenticates to the server inside 
> the channel (by logging in, say).  But in general the server cares less 
> about who it is talking to than the user does in those cases.

It is always a one-way issue. On the web, the client authenticates the
server (well, sort of), and then relies on the confidentiality property to
display the lock. The server doesn't treat the channel as anything special
unless it turns around and authenticates the client. And rarely is there any
channel binding that ties that authentication to the confidential channel
either.

The push back on this strict view is that "if it's even a little harder to
sniff the traffic, that's better than nothing" even if you don't know who
you're talking to. That's fine for some things, I guess, but I don't think
this is one of them.

> The trace line finishes with this:
> 
> </Attribute></AttributeStatement><ds:Signature 
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> 
> (no line break after ds:Signature in the original)

Each element of the signature includes a linefeed, it's just the way the
Java code creates the XML. My binary detection is probably tripping on it.

> If you managed to get this to work, I guess it is likely to be finger 
> trouble on my part somewhere.  I will go back to square one and try 
> again, very carefully.

If you like, you could try the wiki and feed it your signature directly. I
could add the KeyDescriptor to something if you tell me which IdP to change.

-- Scott