...
Om ni inte kan uppdatera ?
Det finns ett sätt att mitigrera den kritiska delen under tiden. Då HTTP-POST-SimpleSign normalt inte används går det att plocka bort supporten I SP:n.
...
| Warning | ||
|---|---|---|
| ||
Tidigare skrev Shibboleth-konsortiet att det gick att mitigrera genom att plocka bort <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" path="/SAML2/POST-SimpleSign" /> Detta ändrades senare till att INTE hjälpa. |
"
Contrary to the initial publication of this advisory, there is no
workaround within the SP configuration other than to remove the
"SimpleSigning" security policy rule from the security-policy.xml
file entirely.
That will also prevent support of legitimate signed requests or
responses via the HTTP-Redirect binding, which is generally used
only for logout messages within the SP itself. Removing support
for that binding in favor of HTTP-POST in any published metadata
is an option of course.Starta sedan om SP:n
SimpleSAMLphp
...