I am using saml2.0 for sinlgle sign on(SSO). In all the examples I have seen in the internet, there is a tag in the response-digest. What is this digest? Is this necessary even when the connection is https?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using saml2.0 for sinlgle sign on(SSO). In all the examples I have seen in the internet, there is a tag in the response-digest. What is this digest? Is this necessary even when the connection is https?
Yes, when using SAML 2.0 and signed messages (HTTP Post requires digitally signed Responses), the DigestMethod and DigestValue are required and must be generated/validated per the XML Signature specification using Transform: Enveloped Signatures. If you don’t properly sign/validate the message, what’s to stop an attacker from intercepting the message and modifying its contents? SSL only protects the message in transit, not the contents of the message itself.