Idea ID: 2826598

IDP - Extend logging - Auth. Problem on missing "KeyInfo" attribute

Status : New Idea
over 1 year ago

According to the NAM documentation the IDP is able to handle multiple certificates for a single SAML2 service provider (specified in the SPs metadata).

In order to select the correct certificate during the authentication process the SAML request needs to contain a "KeyInfo" attribute. Without the "KeyInfo" attribute being specified the IDP responds with a "RequestDenied".

However, even with "Debug" logging enabled the IDP log (catalina.out) does not specify any problem details if the "KeyInfo" attribute is missing.

The IDP logging should be extended to show a respective error message as soon as a request is denied due to a missing "KeyInfo" attribute.



Parents Comment Children
No Data