EasySSO supports signing and verification of messages exchanged between the Service Provider (SP) and Identity Provider (IdP). This can prevent "man-in-the-middle" attacks that could be used to capture and replay login and logout requests.
Ready to get started with EasySSO?
Messages from IdP to EasySSO
EasySSO verifies the signatures of login requests based on the IdP Token Signing Certificate generated by the IdP and provided to EasySSO in the Certificates tab.
Verifying Message Signatures
EasySSO can also optionally verify the signature of other messages from the IdP using the IdP Token Signing Certificate. This can be enabled by ticking the "Verify Logout Request Signature" and/or "Verify Logout Response Signature" checkboxes. Verifying messages sent from the Identity Provider is available when using the POST and Redirect Logout Binding Types.
Messages from EasySSO to IdP
EasySSO does not sign requests to the IdP by default, but signing of login and logout messages can be configured when using the POST Binding Type. EasySSO can generate an SP Signing Certificate to give to the Identity Provider to sign the messages.
Signing Login Requests
Signing login requests sent to the Identity Provider is available when the Login Binding Type is set to POST. To enable it, tick the "Sign SP Login request" checkbox.
Signing Logout Requests and Responses
Signing logout requests and responses sent to the Identity Provider is available when the Logout Binding Type is set to POST. To enable these, you can tick the "Sign SP Logout request" and/or "Sign SP Logout response" checkboxes.
SP Signing Certificate
To use signed requests with your Identity Provider, you will need to visit the certificates tab of EasySSO and generate an SP Signing Certificate to provide to your identity provider during configuration. The upload process may vary depending on the Identity Provider. Here are some EasySSO SAML configuration guides for common identity providers:
- EasySSO SAML with ADFS
- EasySSO SAML with Azure AD
- EasySSO SAML with G Suite
- EasySSO SAML with PingOne
- EasySSO with SimpleSAMLphp
- EasySSO SAML with Keycloak
- EasySSO SAML with Okta