I am busy looking at the new features of Picketlink 2.02 and one caught my eye. The implementation
of SAML 1.1. As I looked into the examples and the source I can not see any code dedicated to signatures
checking or configuration. Is this correct? And yes, do you plan to support signatures in the near
future with SAML 1.1 as without signatures the implementation is about useless for us as it is
to easy to spoof a SAMLResponse this way and hack the system.
Alex Jacinto wrote:
As a temporary fix, can I write a Valve that detects a SAML 1.1 payload and includes a digital signature in the SAML response? Just want to make sure if this is possible before going forward for my application.
Thanks in advance.
Temporary, yeah. But it is not the right fix.